This is a great module, I like it a lot. Just wondering if we could make it optional on a site to users whether they want to use Two-Factor-Auth or not individually.

In other words, login without a code is generally possible. If, however, a user wasd conerned about his/her privacy they could setup their user account to make use of TFA. From then on, login only works with the code.

In such an environment we should consider what to do with the login form: either the field for "Code" stays in the form always and gets some description on what it means and that users can leave it empty if they haven't setup TFA for their account. Or we make the login process a two step process where the login form doesn't have that code field and instead, if a user logs in who has TFA enabled, then another form pops up that asks for the code. I guess this is how Google does it.

What do you think? If you were OK with that suggestion I consider writing the code and submit a patch for it.

Comments

Good idea, patches are very welcome.

So if a user has the permission 'login without code' and they create a code, they have to use the code to login. Each user can select this on their profile page and disable it whenever they want, but only when they have the permission 'login without code'.

Removing the code field from the form isn't going to work, because other modules can hook into it using hook_form_alter so it has to stay in the same form.

Status:Active» Needs review
StatusFileSize
new2.51 KB

@attiks, good description, that's exactly what I had in mind and attached is a patch that achieves exactly that. Please review and let me know what you think.

Status:Needs review» Needs work

Nice work

+++ sites/all/modules/ga_login/ga_login.module (revision )
@@ -306,9 +313,35 @@
+  else if ($form_id == 'user_profile_form') {

should be elseif

+++ sites/all/modules/ga_login/ga_login.module (revision )
@@ -306,9 +313,35 @@
+    $form['ga_login']['ga_login_force_tfa'] = array(
+      '#type' => 'checkbox',
+      '#title' => t('Protect my account with two-factor-authentication'),
+      '#default_value' => isset($account->data['ga_login_force_tfa']) ? $account->data['ga_login_force_tfa'] : FALSE,
+      '#description' => t('Check this box to force two-factor-authentication during login. If you decide to do so and haven\'t yet created your key, then please also refer to <a href="@url">GA Login</a>.', array('@url' => url('user/' . $account->uid . '/ga_login'))),

Maybe it is safer to only allow this option if they already have a code?

Thanks. Will be correcting the "elseif" in a second but wanted to discuss your second item first:

I understand the thinking behind it and like the idea of keeping it as simple as possible. However, if they find the option in the profile and first need to go somewhere else to be able to set it, they feel like jumping around maybe.

So, how about leaving it as is and if they turned it on and haven't got a code yet, that we redirect them to the page to generate one straight away?

#4 great idea

Index: sites/all/modules/ga_login/ga_login.module

can you make the patch from inside the ga_login directory

Status:Needs work» Needs review
StatusFileSize
new3.58 KB

OK, here is the next round of patch including everything discussed above.

I cannot apply the patch, can you create one using git diff (or something similar)

That's difficult. What's the problem you're getting? Maybe you want to remove the header form the patch file? It is in fact a regular patch file, just out of my IDE (PHPStorm) and it hasn't caused issues elsewhere.

The patch has been created against the dev release from 2012-09-06, maybe you have changed the code since and that is the reason why?

Assigned:Unassigned» Jelle_S
Status:Needs review» Patch (to be ported)
Issue tags:+needs backport to D6
StatusFileSize
new4.09 KB

Patch applied using patch command, but have a look at http://drupal.org/node/707484 so you can configure your editor to make it easier for us (and our tools)

Thanks, fixed for Drupal 7 in latest dev version.

Sorry if I got this wrong but will this allow a user to turn of 2-factor auth after they have set it up?

I run some sites with users not that tech savvy that do not need 2-factor auth as much as other users. e.g. some users only login from their homes and have complex passwords but may have problems dealing with GA. Others login in from different boxes and may be concerned about keyloggers, etc.

So when I set up 2-factor auth for all users but later on we find that some of them are overwhelmed by the 'complexity' I need a way to turn it off for them.

I will gladly open a new issue but I wanted to check before if this is what I need and I only didn't understand it thoroughly.

Thank you for this great module, by the way!

As far as I understand it, your users will be allowed to turn TFA off if you grant them the permission to login without TFA.

#12 that's the right explanation.

Thank you. This is what I was looking for. I'm very impressed how communication with users is handled here. Thank you.

Status:Patch (to be ported)» Fixed

Not ported to 6.x due to lack of time. Feel free to reopen and create a patch if anyone would need this is 6.x

Assigned:Jelle_S» Unassigned

Automatically closed -- issue fixed for 2 weeks with no activity.