Two-factor authentication

6 posts by 2 authors in: Forums > CMS Builder
Last Post: May 6, 2023   (RSS)

By andreasml - May 1, 2023

Hi

I wonder whether it would be possible to add an extra layer of security when logging in CMSB by adding a two-factor authentication. This feature would require users to enter a unique code sent to their registered phone number or email address to log in to the app.

Regards,

Andreas Lazaris

By Dave - May 2, 2023

Hi Andreas, 

It's definitely possible and we've done some one-off custom implementations before.  There's sending a code or login link to email or sms, or requiring an app that shows a rotating code you can enter.  I've also seen some sites defaulting to offering login links directly.  So you enter your email and they email you a login link rather than asking for your password.  

And there's also a new multi-vendor standard called passkeys which is supposed to allow for passwordless device-based authentication.  

So lots of standards and options.  I was thinking of waiting a bit to see if passkeys catches on as that would be ideal.  What's your particular use case? 

Dave Edis - Senior Developer
interactivetools.com

By andreasml - May 2, 2023

Hi Dave,

I am trying to implement my CMSB database in a mobile app and considering offering an extra level of security by adding another authentication factor. 

What option do you think would be the easiest to construct and the most efficient? Any suggestions on the steps needing to follow? Should I use a third-party application or it can be created by a custom plugin?

Regards, 

Andreas

By Dave - May 5, 2023

Hi Andreas, 

The simplest would likely be to add a second layer of authentication after they've successfully entered your password.

You could email them a random code they had to enter, which would probably be simplest, or you could text them a code, but that would require having an account with an SMS provider and a small monthly fee to send texts.  

We have this plugin for sending text messages: https://www.interactivetools.com/plugins/outgoing-sms/ that supports sending text messages via: txtlocal.com, twilio.com and amazon.com

If you wanted to try building that yourself I think the simplest way would be to reimplement the login screen.  So have a custom username/password login screen, and if the user entered the correct username and password, send them an email with a random code and require them to enter it, then complete the login if they do it successfully.

Or we could also quote on it if you wanted us to build it for you.

Hope that helps, let me know if you have any other questions!

Dave Edis - Senior Developer
interactivetools.com

By Dave - May 6, 2023

Hi Andreas, 

Yea, we can build that or you can search for some existing libraries.  I found some Twilio libraries and sample code for here: 
https://www.twilio.com/docs/verify/quickstarts/totp

I haven't used that one personally but they generally have really nice APIs.

So it's all possible, you might want to check with Apple first before you code anything to see if a time-based one-time password (TOTP) system for 2FA such as is used by Google Authenticator would meet their needs for additional login protection.

Hope that helps!

Dave Edis - Senior Developer
interactivetools.com