How to have Google authenticator required to be setup even after first login ? about 2fa HOT 5 CLOSED

I've also come across this issue today but with TOTP authentication. I guess the type of authentication doesn't really matter here.

Essentially it looks like this bundle doesn't support requiring MFA on first login out-of-the-box.

I don't see a way around this at the moment so I've install email authentication (since all my users require email to be verified) and I've updated my code to automatically enable email MFA for the user following the guide here: https://symfony.com/bundles/SchebTwoFactorBundle/6.x/providers/email.html. Then, once logged in with email MFA the user can add additional options.

I think it'd be great if there was an option in the bundle to require authentication on first login in the future. However, it might require substantial changes. A lot of this seems to boil down to logic in TotpAuthenticatorTwoFactorProvider::beginAuthentication which requires TOTP values to be set before authentication can be made.

from 2fa.

I'm thinking maybe I need to add a "firewall" event that would fire a "NeedToSetupGoogleAuthenticatorException" ? 🤔

from 2fa.

I've tried to do [...] but it fails with User has to provide a secret code for Google Authenticator authentication.
Which I think is normal because this condition is supposed to be used to enter a code for an existing authenticator

Correct. You cannot have Google Authenticator enabled, when you don't have a secret code configured. That's why the docs are recommending return null !== $this->googleAuthenticatorSecret; for isGoogleAuthenticatorEnabled().

I've also come across this issue today but with TOTP authentication. I guess the type of authentication doesn't really matter here.

Correct. The 2fa provider doesn't matter for the implementation.

Essentially it looks like this bundle doesn't support requiring MFA on first login out-of-the-box.

Correct and that's how it's supposed to be. Everyone has their own expectations how a forced 2fa should work, so it would be impossible to provide an out-of-the-box solution that makes everyone happy.

Actually I've never seen how people are solving this problem in the wild 🤷. How I'd recommend to handle this:

Ideally: Force people to setup 2fa during the registration process, so you know they have set it up once they login. You don't need to bother with it 😉.

If you can't do this - e.g. accounts are automatically created for users and therefore you can't setup 2fa for them - then you have to go the route "force them to set it up on the first login". For that, you'd need to inject a check into the login process, where you check if the user account has 2fa setup, if not force them to set it up.

I'd recommend to have a look at the AuthenticationTokenCreatedEvent event, which is dispatched right after creating the security token object, so by that point, the authentication process was successful and you can get the user object from the security token. But at that point the authentication process hasn't been completed yet. The Symfony security layer does not know about that security token yet, so it's a great point to "do stuff" right in the middle of the login process 😄.

The 2fa bundle is actually using that event to inject its magic into the authentication process: intercept the security token, wrap it with 2fa magic, before it's announced to the security layer. Code for reference: https://github.com/scheb/2fa/blob/6.x/src/bundle/Security/TwoFactor/Event/AuthenticationTokenListener.php

from 2fa.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

from 2fa.

I will soon get to work on this again, I will keep posted if I got a solution ,but yes I think i I will check the AuthenticationTokenCreatedEvent

If you can't do this - e.g. accounts are automatically created for users and therefore you can't setup 2fa for them - t

yes these users are coming from a SamlV2 connection

but your explanation makes sense on why this bundle does not provide a "built-in" solution

from 2fa.