5. Two-step Validation (with Google Authenticator)¶
SonataUserBundle provides an optional layer of security by including a support for a Two-step Validation process.
When the option is enabled, the login process is done with the following workflow:
- the user enters the login and password
- if the user get the correct credentials, then a code validation form is displayed
- at this point, the user must enter a time based code provided by the Google Authenticator application
- the code is valid only once per minute
So if your login and password are compromised then the hacker must also hold your phone!
composer require sonata-project/google-authenticator
Edit the configuration file:
1 2 3 4 5 6 7 8 9 10
# config/packages/sonata_user.yaml sonata_user: google_authenticator: enabled: true server: yourserver.com trusted_ip_list: - 127.0.0.1 forced_for_role: - ROLE_ADMIN
Also, if you want to use
configuration nodes for automatically setting the secret to user
(secret - a connection between user and device that will scans QR-code)
and showing QR-code in login form, you need to set the success handler
in your firewall to
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
# config/packages/security.yaml security: firewalls: # Disabling the security for the web debug toolbar, the profiler and Assetic. dev: pattern: ^/(_(profiler|wdt)|css|images|js)/ security: false # -> custom firewall for the admin area of the URL admin: pattern: /admin(.*) context: user form_login: provider: fos_userbundle login_path: /admin/login use_forward: false check_path: /admin/login_check failure_path: null success_handler: sonata.user.google.authenticator.success_handler
Then after success login, if the user needs to use 2FA and has no secret, a QR code will be shown in the login form.
Now if the
User::twoStepVerificationCode property is not null, then a second form will be displayed.