Two Factor Authentication - 2FA

From nuBuilderForte
Jump to navigation Jump to search

Activate 2FA

To activate two-factor authentication (2FA), you can edit the configuration within nuBuilder under Setup -> Settings.

Alternatively, you can edit the following settings directly in the nuconfig.php file.

By default, these options are disabled. 

$nuConfig2FAAdmin             = false;              //-- Enable 2FA for administrators
$nuConfig2FAUser              = false;              //-- Enable 2FA for users
$nuConfig2FAFormID            = "nuauthentication"; //-- 2FA form ID (default: nuauthentication)
$nuConfig2FATokenValidityTime = 168;                //-- Token validity period in hours (default: 7 days)
$nuConfig2FAShowRememberMe    = false;              //-- Show "Remember me for X days" checkbox (not yet implemented)

Additionally, 2FA can be activated or deactivated for individual access levels. This means if you enable 2FA for general users, you must also enable it for the specific access levels that require this protection.

Functionality

When 2FA is enabled, users are redirected to an authentication form after their initial login. On this form, users can request a 2FA token, which is sent to them via email or another configured method.

Entering a valid token grants access and redirects the user to their intended destination. Users cannot access other parts of the application until they have successfully authenticated. The 2FA session remains valid on the same device and browser for the duration specified by the "Token Validity Time".

Setting up 2FA

Navigate to Home -> Builders -> PHP Procedure "nu_authentication_2fa_template"

Clone the template. The procedure code will automatically be renamed to nu_authentication_2fa.

Adapt the PHP code as needed and save it.

Define Save IP Addresses

You can define a set of "safe" IP addresses to bypass the 2FA requirement for users on trusted networks. If a user connects from one of these whitelisted IP addresses, the two-factor authentication step will be skipped.

This feature supports both IPv4 and IPv6 addresses, including wildcard patterns (e.g. 192.168.*.*, 10.0.0.1, 2001:db8::/32).

Safe IPs are defined in the following configuration structure in nuconfig.php: For both globeadmin and users, you can define one or more IP addresses that are exempt from 2FA.


Sample configuration: 


$nuConfig2FASafeIPAddresses = [
    'globeadmin' => [
        '192.168.1.10', // Office main server
        '192.168.1.11', // Admin workstation
        '203.0.113.50', // Remote admin VPN
        '::1'
    ],
    'user' => [
        '*' => [ // Applies to ALL users
            '203.0.113.200', // Corporate VPN
            '198.51.100.100', // Office network
            '::1'
        ]
    ]
];
Retrieved from "https://wiki.nubuilder.cloud/index.php?title=Two_Factor_Authentication_-_2FA&oldid=3870"