2fa (two-factor authentifcation) in Plone 6 options or plans?

what is the current status of two-factor authentication (2FA or multi-factor authentication) with Plone 6?

What I have found out so far is

  • two-factor-auth-in-plone-6/14796 in February got referred to https://github.com/collective/collective.googleauthenticator but this is old (plone4 python2 last commit 2018).
  • community.plone.org/t/what-makes-plone-an-enterprise-cms-what-is-missing/14771/2 that 2AF support is missing in February, there is a pointer towards github.com/castlecms/castle.cms for implementation ideas. So maybe github.com/castlecms/castle.cms/pull/365/files is an inspiration
  • There are proposals for the summer of code, Webauth (having a mentor) and OAuth (not having one). Both would offer 2FA possibilities.

As it is mentioned that 2FA is not possible out of the box, what is the currently best method to do it with add-ons?

Did not find an issue somewhere for developing 2FA, is there one already?

collective.googleauthenticator has a plone 5.1 branch that has been worked on by community membmers . As the PAS system is mature and stable my guestimate is that it shouldn't be too much work getting this add'on upgraded to Python 3 and ready for Plone 6.

I'm not sure how much this is really tied to Google 2FA on the server, I can use their client apps interchangeably (MS, Google, third party apps)

@fredvd thanks for your estimation.

As far as I know Google Authenticator uses the standards TOTP; specified in RFC 6238) or HOTP; specified in RFC 4226) so any application supporting this one of the standrads should work.

I did a little work trying to get this to work with Plone 5.2. I did not mange to get anything to install anywhere, ref: Working buildout for collective.googleauthenticator?

I gave up (so I did not get the job)

I had it successfully running, but it was 2019 :slight_smile:

Now I do not have that buildout anymore, sorry :confused: