GoogleAuthenticatorX: Add 2-step verification to MODX manager login.

GoogleAuthenticationX will add 2-step verification (Google authenticator) or some call it 1 time password to MODX manager login.

I've submit the extra today, awaiting moderators approval.



[ed. note: mina_gerges last edited this post 9 years, 8 months ago.]

Would be nice if a beta were available to test and beat up on to see if there are any odd corner cases where it breaks. Is it on github?

Beta was tested by a couple of testers (this is why all issues to date are posted by myself), Github: https://github.com/minagerges/MODX-GoogleAuthenticatorX

Appreciate your feedback.

Where's the code? That's just the license and the readme, which doesn't really say much.

I mistakenly uploaded to develop branch, please change the branch to develop and you will see it all.

Heh. Got it. I need to get back into the habit of clicking on everything just to see what's there!

Hm. Got it, installed it...thoughts and first impressions.

Looks really interesting. Now what do I do with it?

Did a bit of research. Apparently what this is supposed to do is text me or send me in some other way a one-time use 'verification' code... sort of like a second one-time password. I would presume that one has to have one's cellphone number in one's profile?

The link to documentation (https://github.com/minagerges/MODX-GoogleAuthenticatorX/wiki) doesn't appear to exist.

I see a bunch of extended fields added to my users, and the new GoogleAuthenticatorX tab. Looks very impressive. [ed. note: sottwell last edited this post 9 years, 8 months ago.]

My bad, I added the instruction when I submit the extra, but forgot to copy it to the wiki page now i don't have it so i will write a draft here and will update the wiki later. (Planning an end-user guide in PDF to be sent as instruction)

1. Install "Google Authenticator" & QR-code reader on your mobile phone. (for android i prefer "barcode scanner")
2. On MODX manager: Manage > Users, write click your own account then update.
+ You will notice a new tab "GoogleAuthenticatorX" open it.
+ Click show secret (NB. you have to be a sudo user)
3. Open "Google Authenticator" on your mobile device, choose "Set up account", then choose "Scan a barcode"
4. Scan the onscreen barcode provided by "GoogleAuthenticatoX"
5. You will notice a 6 digits code on "Google Authenticator" mobile application changing every 30 seconds. (This is the code to be used while logging into MODX manager)
6. On MODX manager, go to System settings, "GoogleAuthenticatorX" namespace, and change "Disable 2-step verification" to "No".
7. If you have courtesy login enabled (Best way to provide the secret) if you refresh the page you will be provided with the same QR-code and will be logged out instantly, if you did not perform steps 1 to 5 earlier, you will have only 60 seconds to scan that qr-code
8. On your next attempt to login to MODX manager you will notice and extra field "Autentication key", after entering your credentials, enter the code provided by "Google Authenticator" mobile application (the one mentioned in step 5) and log in.

Now MODX manager log-in is secured with Google Authenticator 2-step verification (1 time password, which changes every 30 seconds).

All Users who will attemp to log-in through the manager will be required to enter the Authentication key (if enabled), ONLY the first login after every secret reset allows a courtesy login (if enabled)

Any questions please do not hesitate to post here.

The plot thickens! Must have cellphone, must install app. Ok. I should be able to do that.

So once I set this thing up, which involves going to my user account and reading one of those squiggly square things, then when I go to log in, after the usual login with password, I get a popup window with one of those squiggly square things. I need to read that with the barcode reader, then I'm logged in.

And you can email that square thing (fingers starting to stumble over the "squiggly" part) to a user, just as you can email him his password. I presume everybody gets his own square thing?

I didn't see any option to say "don't ask for this again on this computer".