This bundle provides two-factor authentication for your Symfony application.
It comes with the following two-factor authentication methods:
- TOTP authentication
- Google Authenticator
- Authentication code via email
Additional features you will like:
- Interface for custom two-factor authentication methods
- Trusted IPs
- Trusted devices (once passed, no more two-factor authentication on that device)
- Single-use backup codes for when you don't have access to the second factor device
- Multi-factor authentication (more than 2 steps)
- CSRF protection
- Whitelisted routes (accessible during two-factor authentication)
composer require scheb/two-factor-bundle... and follow the installation instructions.
Detailed documentation of all features can be found in the Resources/doc directory.
If you think that you have found a security issue in the bundle, don't use the bug tracker and don't publish it publicly. Instead, please report via email to me@christianscheb.de.
Known security issues:
-
Before version 3.7 the bundle is vulnerable to a security issue in JWT, which can be exploited by an attacker to generate trusted device cookies on their own, effectively by-passing two-factor authentication. (#143)
-
Before versions 3.26.0 / 4.11.0 it was possible to bypass two-factor authentication when the remember-me option is available on the login form. (#253)
See CONTRIBUTING.md.
This bundle is available under the MIT license.