Drupal is a registered trademark of Dries Buytaert
Search API Solr 4.3.13 Minor update available for module search_api_solr (4.3.13). Search API Solr 4.3.12 Minor update available for module search_api_solr (4.3.12). Google API PHP Client 8.x-4.7 Minor update available for module google_api_client (8.x-4.7). Burndown 1.0.69 Minor update available for module burndown (1.0.69). SSO Connector 1.0.2 Minor update available for module sso_connector (1.0.2). smart 404 1.1.3 Minor update available for module smart_404 (1.1.3). SSO Connector Autologout 1.0.0 Initial release available for module sso_connector_autologout (1.0.0)! SSO Connector Social 1.0.0 Initial release available for module sso_connector_social (1.0.0)! Provus Mega Menu Module provus_mega_menu crossed 1,000 active installs. Commerce Order Amend Module commerce_order_amend now has official Drupal security advisory coverage.

This module adds a second verification step to SSO Connector logins. It supports TOTP authenticator apps with QR code enrollment, as well as email one-time codes, and includes features like backup codes, brute-force protection, and encrypted secrets.

Adds a second verification step to SSO Connector logins, supporting TOTP authenticator apps (Google Authenticator / Authy compatible, with a scannable enrolment QR code) and email one-time codes. It provides single-use backup codes, brute-force flood control, replay protection, and encrypts TOTP shared secrets at rest.

Features

  • TOTP (RFC 6238) enrolment with a scannable QR code and manual-key fallback.
  • Email OTP as a standalone second factor.
  • Single-use backup / recovery codes.
  • Replay protection — an accepted code cannot be reused (per-user counter for TOTP, single-use email codes).
  • Flood control on failed attempts, keyed by user and client IP, failing closed when locked.
  • TOTP shared secrets encrypted at rest (contrib Encrypt profile when configured, otherwise libsodium).
  • Bounded, configurable clock-drift window.
  • Admin-controlled method allow-list, with a subscriber that redirects enrolled-but-unverified users to the challenge.

Requirements

  • Drupal core ^11.2 || ^12
  • PHP >= 8.1 with the sodium extension
  • endroid/qr-code ^6 (pulled in automatically by Composer)
  • SSO Connector ^1.0
  • Optional: Key + Encrypt for a managed encryption profile

Installation

composer require drupal/sso_connector_2fa
drush en sso_connector_2fa

Part of the SSO Connector bundle

Requires SSO Connector (core). See the core project for the full suite.

Activity

Total releases
1
First release
Jul 2026
Latest release
5 hours ago
Releases (12 mo)
1 ▲ from 0
Maintenance
Active

Releases

Version Type Release date
1.0.0 Stable Jul 18, 2026