Laraguard – Two Factor Authentication via TOTP for all your Users out-of-the-box.

Two Factor Authentication via TOTP for all your Users out-of-the-box.

This packages adds a Contract to detect in a per-user basis if it should use Two Factor Authentication. It includes a custom view and a listener to handle the Two Factor authentication itself during login attempts.

It is not invasive, but you can go full manual if you want.

To use it, add the TwoFactorAuthenticatable contract and the TwoFactorAuthentication trait to the User model, or any other model you want to make Two Factor Authentication available.

<?php

namespace App;

use Illuminate\Foundation\Auth\User as Authenticatable;
use DarkGhostHunter\Laraguard\TwoFactorAuthentication;
use DarkGhostHunter\Laraguard\Contracts\TwoFactorAuthenticatable;

class User extends Authenticatable implements TwoFactorAuthenticatable
{
    use TwoFactorAuthentication;
    
    // ...
}

Installation per Composer:

composer require darkghosthunter/laraguard

Laraguard (GitHub) →
Laraguard Introdcutory Post (Medium) →

💵 This linked article is stuck behind Medium’s metered paywall, which may prevent you from reading it. Open the link in an incognito window to bypass Medium’s ridiculous reading limit.

HTML attributes to improve your users’ two factor authentication experience

There are plenty of opportunities for friction in the user experience when logging in, particularly while entering a two factor authentication code. As developers we should be building applications that support the need for account security but don’t detract from the user experience. Sometimes it can feel as though these requirements are in a battle against each other.

In this post we will look at the humble <input> element and the HTML attributes that will help speed up our users’ two factor authentication experience.

The final markup to trigger the correct keyboard and have the browser autocomplete the received SMS code is this:

<input
  type="text"
  name="token"
  id="token"
  inputmode="numeric"
  pattern="[0-9]*"
  autocomplete="one-time-code"
/>

HTML attributes to improve your users’ two factor authentication experience →

🚨 Do note that 2FA using SMS is not secure, mainly due to the lacking policies at SIM providers easily allowing SIM port hacks. The recently announced origin-bound OTP addition as proposed by Webkit/Apple won’t make any difference in the case of a SIM hack.

Is 2FA using SMS Secure?

In case you were still in doubt after this SIM port horror story from back in May:

  • We examined the authentication procedures used by five prepaid wireless carriers when a customer attempts to change their SIM card, or SIM swap.
  • We found that all five carriers use insecure authentication challenges that can easily be subverted by attackers.
  • We reverse-engineered the authentication policies of over 140 websites that offer SMS-based authentication, and rated the vulnerability level of users of each website to a SIM swap attack.
  • We found 17 websites on which user accounts can be compromised based on a SIM swap alone.

Is SMS 2FA Secure? →

🔐 Do note that 2FA using an Authenticator App/Device – I use Google Authenticator – to get a TOTP still is secure. The problem with SMS is the carriers that swap your phone number to another SIM without properly verifying things.

How to Steal a Tesla and What You Should Do to Protect Yourself

It’s possible to unlock and start a Tesla using only using a driver’s App username and password (without the need of a key nor the pincode to unlock the onboard dashboard!)

Let this be a reminder to never trust free Wifi; especially not Wifi that requires you to “log in” (*). Also: Services like these need 2FA …

(*) If you really need to then I suggest trying to log in with a false username/password combo … if you’re in (using that false info) it’s rogue. Additionally: Whenever you’re on free Wifi, use a VPN.

The Most Expensive Lesson Of My Life: Details of SIM port hack

Sean Coone got hacked last week. Even with 2FA enabled, hackers got in … because his phone number got transferred to a rogue device:

My personal identity was hacked last week. The attacker was able to steal $100k+ in a sweep of my Coinbase account. I’m equal parts embarrassed, hurt, and deeply remorseful.

In an effort to raise awareness about the attack, I wrote about it.

Reading this one would almost get a second, private, phone number for services that support 2FA only using phone numbers.

The Most Expensive Lesson Of My Life: Details of SIM port hack →

TIP: Enable Two Factor Authentication (2FA) with your NPM account

Since early October it’s possible to enable Two Factor Authentication with your NPM account.

2FA is another layer of defense for your account, preventing third parties from altering your code even if they steal or guess your credentials. This is one of the easiest and most important ways to ensure that only you can access to your npm account.

To enable it, run npm profile enable-2fa with one of these two options:

  1. auth-only: enable it for any login attempt
  2. auth-and-writes: enable it for any login attempt, publish event, profile change, etc.

Once enabled use an authentication application like Google Authenticator or Authy to generate your One-Time-Password.

Additional security measurements announced along with 2FA is the possibility to have read-only tokens — useful for all your CI/CD needs.

Note that NPM 5.5.1 or higher is required.

Protect your npm account with two-factor authentication and read-only tokens →
NPM: Using Two Factor Authentication →

Did this help you out? Like what you see?
Consider donating.

I don’t run ads on my blog nor do I do this for profit. A donation however would always put a smile on my face though. Thanks!

☕️ Buy me a Coffee ($3)