E-Mail as Second Factor

This plugin adds the user’s e-mail account as a second authentication factor.

After logging in through another authentication module, a one-time code will be generated by the portal and sent to the user’s e-mail address. The user will be prompted for this code in order to finish the login process.

Attention

This plugin will only improve security in situations where the user’s email is not protected by the same password used to login on LemonLDAP::NG. And of course, if the user’s email account is also protected by LemonLDAP::NG, they will not be able to open their mailbox to find out their one-time code.

Configuration

Before configuring this module, make sure the user’s email address is correctly fetched from your UserDB plugin and appears in the session browser. If you want to store the user e-mail in a different session field than mail, go to “General Parameters » Advanced parameters » SMTP” and set the “Session key containing mail address” parameter.

All parameters are configured in “General Parameters » Second factors » Mail second factor”.

  • Activation: Set to On to activate this module. If a user does not have an email address, they will encounter an error on login. If you want to use this plugin only for users who have an email address, use $mail (or whatever your e-mail session key is) as the activation rule.

  • Code regex: The regular expression used to generate one-time codes. The default is a 6-digit code.

  • Code timeout: It might take a while for users to open their e-mail account and find the code. Raise this timeout if the default (2 minutes) isn’t enough.

  • Mail subject: The subject of the email the user will receive. If you leave it blank, it will be looked up in translation files.

  • Mail body: The plain text content of the email the user will receive. If you leave it blank, the mail_2fcode HTML template will be used. The one-time code is stored in the $code variable

  • Re-send interval: Set this to a non-empty value to allow the user to re-send the code in case a transmission error occured. The value sets how many seconds the user has to wait before each attempt

  • Authentication level (Optional): if you want to overwrite the value sent by your authentication module, you can define here the new authentication level. Example: 5

  • Label (Optional): label that should be displayed to the user on the choice screen

  • Logo (Optional): logo file (in static/<skin> directory)