TWO-FACTOR AUTHENTICATION

saikatkoley · July 16, 2019, 3:10am

Is there any opensource module for google TWO-FACTOR AUTHENTICATION in Dolibarr?

LHuthmann · July 16, 2019, 3:01pm

i know there are several opensource for 2FA available but nothing “out of the box”. everything needs to be adjusted…

Btw.
There is an 2FA module in Dolistore available. I’m using it and it works fine. Also the helpdesk of the developer respond quickly therefore i can recommend it.

Br

saikatkoley · July 22, 2019, 7:12am

Hi LHuthmann,

Thanks for your reply. And sorry for my late reply. Yes i have seen a module in Dolistore. But i am searching for an opensource free to use product. If i will get any then good otherwise i will have to think to develop.

BTW

“i know there are several opensource for 2FA available but nothing “out of the box”. everything needs to be adjusted…”
Will you please name those modules which i can use in Dolibarr with some adjustment?

caos30 · February 5, 2022, 7:04pm

I know that it’s not free but it is almost
I’ve developed and published this module (30€) just this week:

https://www.dolistore.com/en/modules/1575-TOTP-2FA-Login.html

Compatible with Dolibarr 8.X to Dolibarr 14.X
Pay only once and enjoy updates forever

saikatkoley · February 7, 2022, 11:30am

@caos30

I am also a Dolibarr developer thanks for your suggestion.

nopo · February 16, 2022, 12:38am

Hi. Thanks for this great development.

Can you please add a function to send approval requests directly to handphones, so that the access can be directly granted on the phone instead of looking for PIN? Thanks.

caos30 · February 16, 2022, 5:15am

Are you talking about SMS message with a PIN code?

nopo · February 16, 2022, 5:28am

What I meant is a handphone push notification.
I believe that SMS is for paid service.

caos30 · February 16, 2022, 5:39am

Handphone notifications require the user to have installed an app on the smatphone, i think so.

I think you’re complicating your life. TOTP apps (like Authy, Google Authenticator) are using an standard of temporal 6-digit codes that are being used around internet, by all kind of webservices (from facebook, to hosting providers, etc…) and it’s very comfortable: you only need one app and then you aggregate so many accounts you need to third webservices (like Dolibarr, for example).

Even more, that “generators apps” exist as browser extension (although i recommend to manage your generator in a second device, by security). Even you can develop very easily (i did it) your own “generator app”.

Maybe i am wrong, but i would say that for mobile push notifications you need to have an app installed on your phone. For example, my bank account require to me to use THEIR APP. So it’s a less comfortable system for users: you need an app for each web service you need to access to.

caos30 · February 16, 2022, 5:44am

Maybe a solution like this, but more easy to implement and more comfortable and flexible for user, would be to be able to send a temporal 6-digit code to an email address. So you can access to Dolibarr only reading the code sent to your email address… so if you have configured your smartphone to read emails, then you has a kind of “push notifications”

caos30 · February 16, 2022, 5:48am

Even another free solution: send the code to your Telegram user. But, this solution would require to you before to create a bot on Telegram connected (hooked) to the Dolibarr module in a unique Dolibarr instance, and previously you should get in contact to that bot searching on Telegram… bufffff, it really is very more complicated that to simply use standard TOTP app generator

The Telegram bot could be useful and interesting to get other functionalities, for example, a kind of new interface to get data from your Dolibarr directly on your Telegram (stats, PDF documents…?) or to send documents… But for do this things you already has the WEB VERSION of dolibarr or even DoliDroid.

So… my friend, let me insist: don’t complicate your life. TOTP codes are the best option

nopo · February 16, 2022, 5:52am

There are some misunderstanding.

Please refer to the youtube video How to Use 2fa: Push Notification - YouTube
This push notification exists similarly for MS 365 and Google accounts.

caos30 · February 22, 2022, 7:31am

I think that you have not implemented push notifications for smartphones, have you? A half year ago i searched about it and i don’t remember the details, but i would say that usually it’s NOT FREE to send push notifications. You have paid services like Twilio (Sendgrid). Maybe for Android it would be free, but not for iOS (excuse me if i’m wrong, i’m talking about something i searched almost a year ago). Anyway, it was NOT EASY to 1) implement (from the developer point of view), and 2) to use from the user point of view.

You must know that you are not able to send push notifications to anybody you wants!! (if it was possible we would be over attacked by spammers!)… The usual and only way -as i said in a comment above- is you give some permissions to the webservice sending push notifications to send you in the future new notifications.

Excuse me to insist then… but this is EXACTLY the same that TOTP 2FA 6-digits code do, but very much more standard and cross-platform, and not depending on third parties OSs (Android, iOS, windoes, linux, etc…), each user choose which TOTP6 code generator she prefer to use to securely access to her webservices.

caos30 · February 22, 2022, 7:38am

Push notifications on IOS:
https://developer.apple.com/documentation/usernotifications/setting_up_a_remote_notification_server/establishing_a_certificate-based_connection_to_apns

If you read there, the first thing they ask to you is to have an account on developer.apple.com … and i think that it costs at least 100USD / year my friend! … it’s so ridiculously…
the second thing: “Certificates must be tied to a specific app.” … so, as i told to you some days ago: the user who wants to receive push notifications from you must install your app. I unkown if you can send push notifications without that.

Anyway… complex, not free… my friend, for this reason was invented TOTp

nopo · February 1, 2023, 3:29am

Hi.

I have updated the TOTP 2FA to v1.7 and just realised that it might not be working properly.

My new user cannot enable his TOTP 2FA function because it says the authentication code is invalid (cannot be validated so the 2FA is not enabled). There is also no PIN code email sent by the system to his email address.

I have to reinstall the v1.2.

Could you please review? Thanks.

caos30 · April 7, 2023, 1:07am

My apologies to respond 4 months later… i didn’t see any email notification about your comment here, so i’ve seen it now that i logged in to find answer to another issue.

Could you solve the problem? In these cases, the usual is:

to check that you have correctly configured the send of emails by dolibarr.
and maybe a not so clear requirement (maybe i should make it note more clearly on settings of the module): you must be sure that the server CLOCK is running with the fine time !!

This last requirement is very important, because these 6-digit codes of TOTp 2FA authentication systems RELY on the premise that both (server and your device generating 6-digit tokens) are synchronized in TIME !! If both devices are not synced, then it’s impossible that the code generated match !