dmfa
No security coverage
Description
Provides FIDO2/WebAuthn security key and TOTP authenticator app
support for two-factor (2FA) and multi-factor (MFA) authentication in Drupal.
Users can register hardware security keys (YubiKey, SoloKey, etc.), platform authenticators (Windows
Hello, Touch ID, Android biometrics), passkeys, and TOTP authenticator apps (Google Authenticator,
andOTP, FreeOTP, Aegis, etc.).
Features
- WebAuthn/FIDO2 — register and authenticate with hardware security keys, platform
authenticators, and passkeys - TOTP — set up authenticator apps with QR code provisioning
- 2FA mode — any single configured method clears the gate
- MFA mode — require all configured methods (e.g. both a security key and
authenticator app) - Per-user toggle — users choose whether to enable 2FA (when policy is
"optional") - Admin policy — set 2FA as optional or required for all users
- 2FA gate — event subscriber blocks access to the site until verification is
complete - Self-service management — users manage their own keys and TOTP at
/user/{uid}/security-keys - Clone detection — flags authenticators with sign counter anomalies
Requirements
- Drupal 9.2+ (compatible with Drupal 10 and 11)
- PHP 7.4+
- HTTPS (required by the WebAuthn browser API)
Installation
composer require drupal-mfa
drush en webauthnConfiguration
- Go to
/admin/config/people/webauthn - Set Relying Party ID to your domain (e.g.
example.com) - Set Relying Party Name (shown in authenticator prompts)
- Choose Policy: optional or required
- Choose Verification Mode: any (2FA) or all (MFA)
Libraries
- lbuchs/webauthn — FIDO2/WebAuthn ceremony
logic - spomky-labs/otphp — TOTP generation and
verification - chillerlan/php-qrcode — QR code
rendering