TOTP/2FA for Plone

I need 2FA/TOTP in Plone - in this case ClassicUI 6.0.x or 6.1.x if available.
What is the current state here? Are there plugins around? Any stubs/unfinished code to built on?


I intend to make a full integration of into plone6/classic UI.

By "full" I mean:

  • Auth (login/logout) via SAML2 (Already done)
  • User listing/search
  • Group listing/search
  • Group Memberships
  • PW reset
  • Probably more

The goal is to integrate this primarily via PAS plugins, so there is almost no need to touch the classic UI.

I should be able to have something running (beta) by April/Mai.

I know it is not exactly what you are asking for, but it might be interesting as an alternative.



Keycloak is a great piece of software. But Keycloak is way more than I need. We have a classic user folder and the only addition we need is TOTP-2FA.
Roughly I think of a PAS plugin which checks additional to __ac cookie a second cookie (or the same with enhanced information). The whole as minimal as possible.

Not sure if this helps here but there's an authomatic integration (Authomatic) here: GitHub - collective/pas.plugins.authomatic: Authomatic OAuth1/OAuth2/OpenID Login Integration with Plone

You should look at GitHub - collective/collective.googleauthenticator: Two-step verification for Plone 4 using the Google Authenticator app.

there was some effort to port it to Plone 5.2 and python3, because someone commented that in this forum, but I don't know the status.

I've been working on GitHub - collective/pas.plugins.tfa: [WIP] Two Factor Authentication which was originally started by Red Turtle. I plan to continue work on it on the next plone tuneup day. Help/testing is most welcome.

There is a PR with ongoing work for classic ui here: fix classicui by mamico · Pull Request #3 · collective/pas.plugins.tfa · GitHub

Current status is it's working fine in classic but needs some minor improvements and documentation/testing.

There is also a sister package GitHub - collective/volto-tfa: Work in progress - volto addon for two factor authentication (pas.plugins.tfa) which provides the volto components using the same backend package for the PAS side of things.

1 Like

I started work on a python3 branch: GitHub - collective/collective.googleauthenticator at python3 but abandoned it in favour of the more modern pas.plugins.tfa mentioned in my other reply.

From memory the branch was all working in p5.2/6 classic but the modal login was broken.

1 Like

There is also pas.plugins.oidc which connects seamlessy with keycloak as an open id connect idp.

1 Like

Thanks :two_hearts: folks!

Looks like GitHub - collective/pas.plugins.tfa: [WIP] Two Factor Authentication is the best to go with, thanks also for the other hints! The collective.googleauthenticator seems a bit outdated but is in the right direction. pas.plugins.authomatic (which I wrote years ago) and pas.plugins.oidc are a different topic: Federated authentication, which is IMO very different from second factor (2FA) or time based one time token (TOTP) authentication.

Now I can offer this my customer and if they like the idea I will get back and coordinate with @iojon and anyone who works on the plugin.

1 Like

Yes, If you want to add a second factor directly in pas you are right, you already mentionned that above and I missed it in scanning the topic/thread. I was more responding to @maethu where I read he wants to create a new addon for integration with Keycloak.

Adding different second factor systems to Keycloak, Authentik, Authelia or similar projects is much easier and means activating plugins or configuring them. They are already implemented and shared between all applications that depend on that keycloak. mobile phone, randomised numbers, google authenticator, good old e-mail.

It depends on many factors if the cost of building and maintaining a single solution for one 2nd factor type in Plone outweighs the maintenance of a generic identity server with many 2FA options already baked in that you then connect to Plone.

There are always pro/cons. Here we need TOTP only, no email, no SMS/Whatsapp/phone calls and we really do not want dependencies on external platforms.

For other cases it is probably easier and more convinient to go with Keycloak

There is also pas.plugins.oidc which connects seamlessy with keycloak as an open id connect idp.

Thanks!! I already saw that one, too!