Two Factor Authentication

Dear All,

How would one go about adding Two Factor Authentication to Frappe?

Could you recommend reliable alternatives to https://www.authy.com that one could integrate with in order to have Two Factor Authentication?

Regards,
cksgb

1 Like

@Chude_Osiegbu i have used this in the past https://www.privacyidea.org/… it worked good

2 Likes

This is a really important feature for Frappé/ERPNext for it to be considered on par with other enterprise-grade ERP systems.

So far, my workaround is using Google Sign-In with the 2FA policy enforced via G Suite (luckily, I manage to get all my clients to use this).

1 Like

Agreed.

My dns provider offers 2FO that works with an ACL list and Country code:

In the case of login access from an IP not recognized on an ACL list or Country code, then the site emails a six digit integer required for login access,.in addition to password.

Here’s a dns breakin story to ponder

1 Like

@khrlzhfr

TBH I question Google auth when you hear what they are up to these days -

Hi All,

We’ve implemented 2FA in Frappe using pyotp and pyqrcode. Below is a basic walkthrough of the functionality.

Basically, we introduced two settings that allow for 2FA to be activated at the System Settings and Role level. When 2FA is enabled at the site level, a further check is done to see if the role of a user who is about to login also has 2FA activated. If so, it performs the 2nd level check using either TOTP (OTP App such as Google Authenticate) or HOTP (notification of the verification code by either SMS or email). See video below:

https://youtu.be/NRExpgI2wUs

To get this to work today, ERPNext has to be installed (even if you don’t need it and are only building on Frappe). This is because the SMS sending functionality is embedded in ERPNext (see the following issue Proposal: Move SMS Settings and related Doctypes to Frappe Core · Issue #9875 · frappe/erpnext · GitHub).

@rmehta what do you think about us shifting the SMS functionality to Frappe? That way, we wouldn’t have to replicate SMS sending

Will send out a PR shortly. Suggestions for improvements welcome.

Regards,
Chude

11 Likes

@Chude_Osiegbu looks great!

Yes lets move SMS to Frappe.

Just a feedback regarding the UX - you are adding the messages / QR code in the header section of the Verification box. The header should be only one line “Verification” and the rest can come in the body

Great work! Look forward to the contribution :slight_smile:

2 Likes

Thanks @rmehta,

We’ll effect the changes to the verification box and make a few other corrections. Will look at sending the PR in a few days.

Regards,
Chude

3 Likes

@Chude_Osiegbu can you share link to the 2fa branch?

So I can test how /login?redirect-to works?

It’s required for oauth2

Hi @revant_one,

Sure will do this weekend. Just a few bugs to clean up.

Regards,
Chude

1 Like

Excellent work. This is a great “selling” point to make ERPNext enterprise class. Looking forward to the contribution… thank you Chude!

Hello All,

PRs are here:

https://github.com/frappe/frappe/pull/3763

and here:

https://github.com/frappe/erpnext/pull/10033

Regards,
Chude

3 Likes

Tested OAuth 2.0. It is working as expected with 2FA.

1 Like

Please see additional comments in pull request.

does it work for website user?