Related pages: 🇫🇷 2FA TOTP

Back to the setup

1. 2FA TOTP

When your users log onto Pwic.wiki, you may want to request a second random password generated from a device to reinforce the security. This is called two-factor authentication. This reduces the risks if the primary password (changed less often) is leaked.

TOTP is a simple algorithm: by sharing a random key once, a 6-digit random PIN-code is generated on-the-fly for 30 seconds. On the logon screen, the challenge is to provide that PIN-code at the right time. The secret TOTP key must remain private.

As per the current implementation, you need to know that:

• the user's device must be synchronized to the real time,
• the user can't use 2FA TOTP if the federated authentication (SSO) is enabled, because the external primary authentication may include itself secondary 2FA authentication techniques (like TOTP, SMS, phone calls...).

1.1. Steps

Configure the option base_url. For example:

• Linux: ./pa set-env base_url "http://localhost:8080"
• Windows: pa set-env base_url "http://localhost:8080"

Enable the option totp:

• Linux: ./pa set-env totp X
• Windows: pa set-env totp X

Install an TOTP-compatible application on the external user's device. There are several good applications for the smartphones that are not publicized here.

Activate a user account for 2FA:

• Linux: ./pa reset-totp demo
• Windows: pa reset-totp demo

You get this kind of information:

The given URL can be converted to a QR-code by your own means. The user can flash the QR-code to configure his application in one-click. Else he must add the secret TOTP key manually.

1.2. Usage

On the logon screen, if your account is enabled for 2FA TOTP, type the PIN-code along with your primary password.

If the user has lost its 2FA, repeat the configuration to generate a new key. And by using the option --disable, you can turn off 2FA for the user.

Revision #1 was last modified by gitbra
on 2023-12-11 at 00:00:00 — 1cba5cd99ab725be