Bug #102081
Updated by Xavier Perseguers about 1 year ago
While working on making EXT:cf_google_authenticator compatible with TYPO3 v11 and v12 and trying to use the new "mfa" field from the fe_users table instead of custom ones, I figured out there is no way to instruct the authentication process that MFA has been validated.
h2. Context
- Configure TOTP with some Frontend user (you can do so with that fork branch: https://github.com/xperseguers/cf_google_authenticator/tree/feature/native-field-mfa)
- Go to the Frontend and try to login with username + password + (valid) TOTP
h2. Expected
You are authenticated.
h2. Actual
Exception MfaRequiredException (1613687097) is thrown
h2. Cause
The session just created does not contain the key 'mfa' set to true.
h2. Further info
This problem does not exist in the Backend context as the authentication with MFA is done in a 2-step process where username+password is first checked and THEN MFA is required. This is easily possible because the Backend login has a full-screen layout and may easily be replaced by another single-field MFA input form thanks to a Middleware.
In a Frontend context however, it is common to ask for all 3 information (username + password + TOTP) in a single custom form tailored to the website's design. This means TOTP/MFA may be checked during the authentication process by some third-party extension like any custom authentication service authenticating with OIDC or LDAP.
Problem has been spotted while working on TYPO3 v11, right when MFA support has been added to the Core but only actually implemented for Backend.
Since MFA for Frontend cannot be implemented properly with current problem and MFA is very important in term of security, this ticket is marked as a bug fix going back to TYPO3 v11.
The submitted patch may naturally be discussed and solution adapted if needed. The patch is in use there: https://github.com/xperseguers/cf_google_authenticator/commit/87abbef52784f9c08114da154c353492fbc987f7