SSO Connector 2FA
No security coverage
This module adds a second verification step to SSO Connector logins. It supports TOTP authenticator apps with QR code enrollment, as well as email one-time codes, and includes features like backup codes, brute-force protection, and encrypted secrets.
Adds a second verification step to SSO Connector logins, supporting TOTP authenticator apps (Google Authenticator / Authy compatible, with a scannable enrolment QR code) and email one-time codes. It provides single-use backup codes, brute-force flood control, replay protection, and encrypts TOTP shared secrets at rest.
Features
- TOTP (RFC 6238) enrolment with a scannable QR code and manual-key fallback.
- Email OTP as a standalone second factor.
- Single-use backup / recovery codes.
- Replay protection — an accepted code cannot be reused (per-user counter for TOTP, single-use email codes).
- Flood control on failed attempts, keyed by user and client IP, failing closed when locked.
- TOTP shared secrets encrypted at rest (contrib Encrypt profile when configured, otherwise libsodium).
- Bounded, configurable clock-drift window.
- Admin-controlled method allow-list, with a subscriber that redirects enrolled-but-unverified users to the challenge.
Requirements
- Drupal core
^11.2 || ^12 - PHP
>= 8.1with thesodiumextension endroid/qr-code ^6(pulled in automatically by Composer)- SSO Connector
^1.0 - Optional: Key + Encrypt for a managed encryption profile
Installation
composer require drupal/sso_connector_2fa drush en sso_connector_2fa
Part of the SSO Connector bundle
Requires SSO Connector (core). See the core project for the full suite.