Two factor authentication (also known as 2FA), is a mechanism to provide extra security to website accounts by requiring a special one time use code, in addition to a user name and password.

This code is typically generated by a hardware dongle or your phone, meaning that you must not only know the password, but also physically have the code generator.

I thought it would be cool if Known had this capability, and so I wrote a plugin to implement it!

How it works

Once the plugin is installed and activated by the admin user, each user will be able to enable two step authentication through a menu on their settings page.

Enabling two factor will generate a special code, which can be used to generate time limited access tokens using a program such as the Google Authenticator. To make setup easier, the plugin generates a special QR code which can be scanned by the reader.

From then on, when you log in, you will get an extra screen which will prompt you for a code.

Enter the code produced by your authenticator and you will be given access!

» Visit the project on Github...

3 thoughts on “Two Factor Authentication in Known

  1. Based on prompting from a point made in this great article, I extended the System logging Known plugin that I wrote previously, to include a visual security log.
    This log shows a user by user security log, showing login/logout and login failure attempts for each user’s account, plus a global log visible to the administrator. This provides a visual way for you to keep track of when, and from where, your account has been accessed, and hopefully give you tools to spot erroneous access attempts (for additional security you should totally check out my two factor authentication plugin as well).
    » Visit the project on Github…

    Share this:EmailLinkedInTwitterGoogleFacebookReddit

  2. I have previously mentioned my two factor authentication plugin for Known. Using this plugin, you are able to grant your Known users an extra level of security on their account, allowing them to enter a secondary authentication code (usually from an authentication application like Google Authenticator on their phone).
    This is a very powerful way of preventing an attacker from accessing your account by brute forcing your password (and combined with a syslog plugin + fail2ban combo makes breaking in the front door even harder).
    To make it easy to register your application for two factor auth, the plugin generates a QR code that you can scan. Originally I used a Google API to generate this (connecting over TLS), which presented a problem that you had to expose your access code to a US company. For security, it’s probably better that the QR is served locally if it’s safe to do so.
    Therefore, I made a small modification to the code to incorporate (a slightly modified / bugfixed) version of Terence Eden’s PHP QR Code generator.
    Now, if you visit your two factor settings page over TLS, the QR code that you get will be served from your local server. If you’re site is hosted on a non-secure server (a really really bad idea, but sometimes unavoidable) it’ll fall back to serving the qr code using a secure connection to googles servers, by way of a least worst option.
    Have a play!
    » Visit the project on Github…

    Share this:EmailLinkedInTwitterGoogleFacebookReddit

Leave a Reply