What are others using for MFA and Plone?

Recently asked to look at adding MFA to plone logins and was surprised to see plugins like collective.googleauthenticator or collective.smsauthenticator not updated since plone 4.
I had also thought there was a plugin to at least allow login via email OTP but couldn't find anything yet.

Just wondering what most people do when they want to increase security of logins?
Are most handing off auth to something else like SAML2/OIDC at the point where they want to add more security?

Also noticed this recent topic - TOTP via Passlib and PAS. Is this a good solution?

That thread you mentioned is the one I started. My partner and I ended up rewriting PAS to integrate TOTP. It seems that from what we can gather, we may be the only ones doing this as even the PAS plug-in that was started a few years back was abandoned.

The work flow we ended up with uses either CookieAuthHelper or SessionAuthHelper (your preference) but it’s definitely not as easy as some make it sound. We had to write our own Passlib TOTP module, and modify the main design of PAS to accept the auth tokens.

It’s all up and running perfectly now but it was no easy task. Lots of hours of work to make it happen.

CastleCMS can be set to send you an email with a link that you have to click on to get into the site.

1 Like

We just set up SAML on a site to connect to Microsoft logins. That might be the most likely way a large organization will want to authenticate users anyhow (as opposed to authenticating using the Plone site).

1 Like

@tkimnguyen Which saml2 plugin did you use and is it compatible with AzureAD do you know?
This is one option I have in front of me. I couldn't see anyone say dm.saml2 or others work with AzureAD yet however.
The other is upgrading collective.smsauthenticator to work with plone5. I suspect you are right that most end up on the saml2/oauth route which is why no other plone 5 options seem to exist.

@kittonian thats suprising. There is not much I've found that PAS can't be manipulated into doing. How does what you needed differ from how smsauthenticator did it's integration? or were you just trying to avoid plone overrides?