Skip to content

MFA security concept #19

New issue
New issue
Open
#15
Open
MFA security concept#19
#15
@gael-connan-cybex

Description

@gael-connan-cybex
gael-connan-cybex
opened on Dec 16, 2025

(to be transfered to a versioned document)

The goal of this concept is to ensure that you can not unintendedly attain logged in status in any step of the processes.

We assume that

  • There is a user class with email and password
  • The app can send mail
  • The package has responsibility,
    • if the package is installed
    • if basic readme steps have been followed

Setup

1. Package required

  • The package has been required
    • and migrated
    • and composer install ran
      => Old authentication should still work
      => Readme steps have not been followed, not our responsibility

2. Provider set up

  • Old auth providers removed
  • Changed login endpoint to the Laravel Fortify one, and home location if necessary
    => Should crash because trait is not used
    => Readme steps have not been followed, not our responsibility

3. User class and template adapted

  • Trait has been used in user class
  • Added a link for the MFA settings page
  • Nothing needs to be published
    => User can log in using email and password
    • Our part of the Laravel Fortify authentication pipeline is skipped (no MFA)
    • The Laravel Fortify part of this pipeline logs you in
      => Users can now setup MFA if they want (default setup)

SCENARIO: Default setup, user wants TOTP

User TOTP setup

  • User navigates to MFA settings page
  • User chooses to activate TOTP
    • This requires entering the password again (only for this MFA method?)
    • Laravel Fortify creates a TOTP secret for the user
    • The secret is shown to the user (QR and raw)
    • The user must add this in an authenticator and provide a valid authenticator TOTP
    • User stays logged in through the Laravel session
      => User has additional protection on next login

TOTP login

  • User must enter email and password

    • After that, you are not yet logged in
    • Our part of the Laravel Fortify pipeline sets in the Laravel session:
      • Laravel Fortify login.id needed for TOTP
      • User ID and current time (for the last login step)

  • User must enter TOTP

    • Our Laravel Fortify request generates a TOTP and compares it with the input
    • Our part of the Laravel Fortify pipeline logs the user in for Laravel,
      • if the email password login was recently

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions