TWO-FACTOR AUTHENTICATION

Is there any opensource module for google TWO-FACTOR AUTHENTICATION in Dolibarr?

i know there are several opensource for 2FA available but nothing “out of the box”. everything needs to be adjusted…

Btw.
There is an 2FA module in Dolistore available. I’m using it and it works fine. Also the helpdesk of the developer respond quickly therefore i can recommend it.

Br

1 Like

Hi LHuthmann,

Thanks for your reply. And sorry for my late reply. Yes i have seen a module in Dolistore. But i am searching for an opensource free to use product. If i will get any then good otherwise i will have to think to develop.

BTW

“i know there are several opensource for 2FA available but nothing “out of the box”. everything needs to be adjusted…”
Will you please name those modules which i can use in Dolibarr with some adjustment?

I know that it’s not free but it is almost :grin:
I’ve developed and published this module (30€) just this week:

https://www.dolistore.com/en/modules/1575-TOTP-2FA-Login.html

Compatible with Dolibarr 8.X to Dolibarr 14.X
Pay only once and enjoy updates forever :slight_smile:

1 Like

@caos30

I am also a Dolibarr developer :slight_smile: thanks for your suggestion.

Hi. Thanks for this great development.

Can you please add a function to send approval requests directly to handphones, so that the access can be directly granted on the phone instead of looking for PIN? Thanks.

Are you talking about SMS message with a PIN code?

What I meant is a handphone push notification.
I believe that SMS is for paid service.

Handphone notifications require the user to have installed an app on the smatphone, i think so.

I think you’re complicating your life. TOTP apps (like Authy, Google Authenticator) are using an standard of temporal 6-digit codes that are being used around internet, by all kind of webservices (from facebook, to hosting providers, etc…) and it’s very comfortable: you only need one app and then you aggregate so many accounts you need to third webservices (like Dolibarr, for example).

Even more, that “generators apps” exist as browser extension (although i recommend to manage your generator in a second device, by security). Even you can develop very easily (i did it) your own “generator app”.

Maybe i am wrong, but i would say that for mobile push notifications you need to have an app installed on your phone. For example, my bank account require to me to use THEIR APP. So it’s a less comfortable system for users: you need an app for each web service you need to access to.

Maybe a solution like this, but more easy to implement and more comfortable and flexible for user, would be to be able to send a temporal 6-digit code to an email address. So you can access to Dolibarr only reading the code sent to your email address… so if you have configured your smartphone to read emails, then you has a kind of “push notifications” :wink:

Even another free solution: send the code to your Telegram user. But, this solution would require to you before to create a bot on Telegram connected (hooked) to the Dolibarr module in a unique Dolibarr instance, and previously you should get in contact to that bot searching on Telegram… bufffff, it really is very more complicated that to simply use standard TOTP app generator :wink:

The Telegram bot could be useful and interesting to get other functionalities, for example, a kind of new interface to get data from your Dolibarr directly on your Telegram (stats, PDF documents…?) or to send documents… But for do this things you already has the WEB VERSION of dolibarr or even DoliDroid.

So… my friend, let me insist: don’t complicate your life. TOTP codes are the best option :wink:

There are some misunderstanding.

Please refer to the youtube video How to Use 2fa: Push Notification - YouTube
This push notification exists similarly for MS 365 and Google accounts.

I think that you have not implemented push notifications for smartphones, have you? A half year ago i searched about it and i don’t remember the details, but i would say that usually it’s NOT FREE to send push notifications. You have paid services like Twilio (Sendgrid). Maybe for Android it would be free, but not for iOS (excuse me if i’m wrong, i’m talking about something i searched almost a year ago). Anyway, it was NOT EASY to 1) implement (from the developer point of view), and 2) to use from the user point of view.

You must know that you are not able to send push notifications to anybody you wants!! (if it was possible we would be over attacked by spammers!)… The usual and only way -as i said in a comment above- is you give some permissions to the webservice sending push notifications to send you in the future new notifications.

Excuse me to insist then… but this is EXACTLY the same that TOTP 2FA 6-digits code do, but very much more standard and cross-platform, and not depending on third parties OSs (Android, iOS, windoes, linux, etc…), each user choose which TOTP6 code generator she prefer to use to securely access to her webservices.

Push notifications on IOS:
https://developer.apple.com/documentation/usernotifications/setting_up_a_remote_notification_server/establishing_a_certificate-based_connection_to_apns

  1. If you read there, the first thing they ask to you is to have an account on developer.apple.com … and i think that it costs at least 100USD / year my friend! … it’s so ridiculously… :expressionless:

  2. the second thing: “Certificates must be tied to a specific app.” … so, as i told to you some days ago: the user who wants to receive push notifications from you must install your app. I unkown if you can send push notifications without that.

Anyway… complex, not free… my friend, for this reason was invented TOTp :smiley: