Two-factor authentication

6 posts by 2 authors in: Forums > CMS Builder
Last Post: May 6, 2023   (RSS)

By andreasml - May 1, 2023

Hi

I wonder whether it would be possible to add an extra layer of security when logging in CMSB by adding a two-factor authentication. This feature would require users to enter a unique code sent to their registered phone number or email address to log in to the app.

Regards,

Andreas Lazaris

By Dave - May 2, 2023

Hi Andreas, 

It's definitely possible and we've done some one-off custom implementations before.  There's sending a code or login link to email or sms, or requiring an app that shows a rotating code you can enter.  I've also seen some sites defaulting to offering login links directly.  So you enter your email and they email you a login link rather than asking for your password.  

And there's also a new multi-vendor standard called passkeys which is supposed to allow for passwordless device-based authentication.  

So lots of standards and options.  I was thinking of waiting a bit to see if passkeys catches on as that would be ideal.  What's your particular use case? 

Dave Edis - Senior Developer
interactivetools.com

By Dave - May 5, 2023

Hi Andreas, 

The simplest would likely be to add a second layer of authentication after they've successfully entered your password.

You could email them a random code they had to enter, which would probably be simplest, or you could text them a code, but that would require having an account with an SMS provider and a small monthly fee to send texts.  

We have this plugin for sending text messages: https://www.interactivetools.com/plugins/outgoing-sms/ that supports sending text messages via: txtlocal.com, twilio.com and amazon.com

If you wanted to try building that yourself I think the simplest way would be to reimplement the login screen.  So have a custom username/password login screen, and if the user entered the correct username and password, send them an email with a random code and require them to enter it, then complete the login if they do it successfully.

Or we could also quote on it if you wanted us to build it for you.

Hope that helps, let me know if you have any other questions!

Dave Edis - Senior Developer
interactivetools.com

By andreasml - May 5, 2023

Hi Dave

Thank you for your reply. I think receiving an email would be ok, but it would make the procedure more complex. I wonder if it would be possible to implement an authenticator app, like Google Authenticator, for example, in the login screen as an option. If yes, do you know how it could be done? I have done some searches on Google pages but have not come to a solid conclusion on how it can be done.  Overall, giving users more options, like receiving an SMS (through your plugin probably) or an email (as you said), would be better.

I am unsure what the better and more convenient option should be, so I welcome your opinion. 

The current login system is great, but as I am trying to implement the CMSB in a mobile app, I have been asked by Apple to provide better ways of protection as the CMSB is supposed to collect personal data (issues with GDPR, etc.). 

Kind regards, 

Andreas Lazaris

By Dave - May 6, 2023

Hi Andreas, 

Yea, we can build that or you can search for some existing libraries.  I found some Twilio libraries and sample code for here: 
https://www.twilio.com/docs/verify/quickstarts/totp

I haven't used that one personally but they generally have really nice APIs.

So it's all possible, you might want to check with Apple first before you code anything to see if a time-based one-time password (TOTP) system for 2FA such as is used by Google Authenticator would meet their needs for additional login protection.

Hope that helps!

Dave Edis - Senior Developer
interactivetools.com