Allow TOTP configuration options #6

elliot-sawyer · 2018-05-30T10:48:03Z

Certain aspects of the QR code and the authenticator should be configurable by the developer or CMS admin. This list includes:

length of token (currently defaults to 6)
Allow freshly expired or upcoming tokens to authenticate, currently not allowed. If the server time or user's time are not exactly synced, validation may fail.
Some authenticator apps support changing the TOTP algorithm, for SHA1 (default), SHA256, and SHA512. Google Authenticator ignores this, but others may support it.
Configurable counter and period. Google Authenticator ignores this, but others may support it.
issuer and label currently defaults to SiteConfig.Title. This is ideally configureable by a CMS admin or via developer config. SiteConfig.Title should be the fallback
extension hooks:
- TOTPForm::getFormFields
- TOTPForm::getFormActions
- TOTPAuthenticator::validateTOTP
- TOTPLoginHandler::validateTOTP

Other suggestions welcome in the comments

elliot-sawyer · 2018-06-04T09:37:48Z

PR for algorithm adjustment: #10

robbieaverill · 2018-11-05T15:26:43Z

Labelled as impact/high because configurability is very important for this before stable release

robbieaverill added type/enhancement New feature or request affects/v4 change/minor effort/medium impact/high labels Nov 5, 2018

Provide feedback