I recently implemented Multi Factor Authentication in one of the projects I work. Antonio Ribeiro have a great package to make this implementation extremely easy and Christopher Thomas published a cool strategy for it. Let’s go over the steps.
composer require pragmarx/google2fa-laravel
The first thing the users will need is a way to enable/disable multi factor authentication. One way to achieve that is to expose a request on GET profile/token
that will render an enable view if the user doesn’t have a private key, or disable if the user already enabled it.
In the showEnableTokenForm
, the Google2FA Facade will be responsible for generating a secret key and generating the QR Code that the user can use to capture the secret key.
Don’t forget to show the QR Code through an image tag
<img src="{{ $QRCode }}" alt="">
Once the user reads the QR Code, they can type in the one time password and submit it for the application to validate it for activation.
If the user submits the correct one time password, Google2FA Facade will validate that and store the secret on the user’s table.
After activating the Token, the next step is to require it during the login process. With Laravel default Authentication system, LoginController
comes with an authenticated
method that can be used to trigger an action post-authentication. A perfect place to request the token.
The strategy is to check if the authenticated
user have a token and require a one time password if they did. If the token is null, the regular behavior of redirecting to the home page will be applied. When that is not the case, the user gets redirected to the /token
route.
Note: Make sure to add google_token column in your users table.
The TokenController
will show a simple view with an input field requiring the one time password.
On the Form Submit of this view, the goal is to retrieve the user and verify their one time password against their google token. If it matches, they’re authenticated, otherwise ask again.
The package makes it amazingly simple to implement multi factor authentication in any Laravel application. Focusing only in generating a secret key and validating it whenever necessary, the Google2FA Facade handles the job perfectly.Another interesting point is the strategy of using Auth Facade to force an logout while requesting the one time password and relying on loginUsingId
when the token matches.