Two Factor Authentication via TOTP for all your Users out-of-the-box.
This packages adds a Contract to detect in a per-user basis if it should use Two Factor Authentication. It includes a custom view and a listener to handle the Two Factor authentication itself during login attempts.
It is not invasive, but you can go full manual if you want.
To use it, add the TwoFactorAuthenticatable contract and the TwoFactorAuthentication trait to the User model, or any other model you want to make Two Factor Authentication available.
use Illuminate\Foundation\Auth\User as Authenticatable;
class User extends Authenticatable implements TwoFactorAuthenticatable
There are plenty of opportunities for friction in the user experience when logging in, particularly while entering a two factor authentication code. As developers we should be building applications that support the need for account security but don’t detract from the user experience. Sometimes it can feel as though these requirements are in a battle against each other.
In this post we will look at the humble <input> element and the HTML attributes that will help speed up our users’ two factor authentication experience.
The final markup to trigger the correct keyboard and have the browser autocomplete the received SMS code is this:
🔐 Do note that 2FA using an Authenticator App/Device – I use Google Authenticator – to get a TOTP still is secure. The problem with SMS is the carriers that swap your phone number to another SIM without properly verifying things.
Since early October it’s possible to enable Two Factor Authentication with your NPM account.
2FA is another layer of defense for your account, preventing third parties from altering your code even if they steal or guess your credentials. This is one of the easiest and most important ways to ensure that only you can access to your npm account.
To enable it, run npm profile enable-2fa with one of these two options:
auth-only: enable it for any login attempt
auth-and-writes: enable it for any login attempt, publish event, profile change, etc.
Once enabled use an authentication application like Google Authenticator or Authy to generate your One-Time-Password.
Additional security measurements announced along with 2FA is the possibility to have read-only tokens — useful for all your CI/CD needs.