Bug #102081


Cannot provide TOTP in a Frontend context

Added by Xavier Perseguers 8 months ago. Updated 7 months ago.

Under Review
Should have
Start date:
Due date:
% Done:


Estimated time:
TYPO3 Version:
PHP Version:
Is Regression:
Sprint Focus:


While working on making EXT:cf_google_authenticator compatible with TYPO3 v11 and v12 and trying to use the new "mfa" field from the fe_users table instead of custom ones, I figured out there is no way to instruct the authentication process that MFA has been validated.

Edit: in the mean time and since EXT:cf_google_authenticator is not properly maintained anymore, I created a fresh MFA extension EXT:mfa_frontend available off TER.


- Configure TOTP with some Frontend user. You can do so with:

composer req causal/mfa-frontend "dev-bugfix/102081-core-cannot-provide-totp-in-frontend"

- Go to the Frontend and try to login with username + password + (valid) TOTP


You are authenticated.


Exception MfaRequiredException (1613687097) is thrown


The session just created does not contain the key 'mfa' set to true.

Further info

This problem does not exist in the Backend context as the authentication with MFA is done in a 2-step process where username+password is first checked and THEN MFA is required. This is easily possible because the Backend login has a full-screen layout and may easily be replaced by another single-field MFA input form thanks to a Middleware.

In a Frontend context however, it is common to ask for all 3 information (username + password + TOTP) in a single custom form tailored to the website's design. This means TOTP/MFA may be checked during the authentication process by some third-party extension like any custom authentication service authenticating with OIDC or LDAP.

Problem has been spotted while working on TYPO3 v11, right when MFA support has been added to the Core but only actually implemented for Backend.

Since MFA for Frontend cannot be implemented properly with current problem and MFA is very important in term of security, this ticket is marked as a bug fix going back to TYPO3 v11.

The submitted patch may naturally be discussed and solution adapted if needed. The patch to apply to the bugfix branch discussed above:

diff --git a/Classes/Service/MfaAuthenticationService.php b/Classes/Service/MfaAuthenticationService.php
index d6727f4..ad0066d 100644
--- a/Classes/Service/MfaAuthenticationService.php
+++ b/Classes/Service/MfaAuthenticationService.php
@@ -50,6 +50,11 @@ class MfaAuthenticationService extends AuthenticationService
             // Reset failed attempts
             $mfa['totp']['attempts'] = 0;

+            // MFA has been validated, we need to instruct TYPO3 it's OK to proceed
+            $userSession = $this->pObj->getSession();
+            $userSession->set('mfa', true);
+            $userSession->setUseDataForNewSession(true);
             $code = static::AUTH_SUCCEED_AND_PROCEED;
         } else {
             // Increase failed attempts

=> Apply that patch and check with the Core patch that authentication now works properly.

Actions #1

Updated by Xavier Perseguers 8 months ago

  • Description updated (diff)
Actions #2

Updated by Gerrit Code Review 8 months ago

  • Status changed from New to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at

Actions #3

Updated by Gerrit Code Review 8 months ago

Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at

Actions #4

Updated by Xavier Perseguers 7 months ago

  • Description updated (diff)

Also available in: Atom PDF