5. Two-step Validation (with Google Authenticator)

The SonataUserBundle provides an optional layer of security by including a support for a Two-step Validation process.

When the option is enabled, the login process is done with the following workflow:

  • the user enters the login and password
  • if the user get the correct credentials, then a code validation form is displayed
  • at this point, the user must enter a time based code provided by the Google Authenticator application
  • the code is valid only once per minute

So if your login and password are compromised then the hacker must also hold your phone!

5.1. Installation

1
composer require sonata-project/google-authenticator

Edit the configuration file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
# config/packages/sonata_user.yaml

sonata_user:
    google_authenticator:
        enabled: true
        server:  yourserver.com
        trusted_ip_list:
            - 127.0.0.1
        forced_for_role:
            - ROLE_ADMIN

Also, if you want to use trusted_ip_list and forced_for_role configuration nodes for automatically setting the secret to user (secret - a connection between user and device that will scans QR-code) and showing QR-code in login form, you need to set the success handler in your firewall to sonata.user.google.authenticator.success_handler, example:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
# config/packages/security.yaml

security:
    firewalls:
        # Disabling the security for the web debug toolbar, the profiler and Assetic.
        dev:
            pattern:  ^/(_(profiler|wdt)|css|images|js)/
            security: false

        # -> custom firewall for the admin area of the URL
        admin:
            pattern:             /admin(.*)
            context:             user
            form_login:
                provider:        fos_userbundle
                login_path:      /admin/login
                use_forward:     false
                check_path:      /admin/login_check
                failure_path:    null
                success_handler: sonata.user.google.authenticator.success_handler

Then after success login, if the user needs to use 2FA and has no secret, a QR code will be shown in the login form.

Now if the User::twoStepVerificationCode property is not null, then a second form will be displayed.