This is a quick overview of a suite of 5 new modules that are focused around security and member authentication with the CMS.
silverstripe/mfasilverstripe/login-formssilverstripe/security-extensionssilverstripe/webauthn-authenticatorsilverstripe/totp-authenticator
Base module that provides all the functionality surrounding multi factor authentication
- Requires OpenSSL PHP extension
- Needs 'Methods' installed to do antyhing, which are modules with well defined APIs
- backup/recovery codes only in this module, which are always necessary when a user sets up MFA for their account
- Can disable from YML for development environments, so one isn't hit with "you can't log in until you MFA" on
SS_DEFAULT_ADMIN... - Cannot remove MFA (without removing the module); once someone sets up a method, forever will it be theirs to manage.
- By default is only enabled for members with CMS access.
- CMS admins can choose whether MFA is:
- Optional on their site. A user can register a method if they desire. They will be prompted to register a method the first time they log in only. They can always configure MFA via their profile in the CMS.
- Required on their site. A user MUST register a method when they log in, or they do not get access to the site.
- Required, with a grace period: A user can choose to skip registration for a limited time (defined in CMS). They are propmted to register a method every time they login.
- Management can be done in the CMS, but only by that user for themselves (admins cannot fiddle with a member's security settings)
- If a user has multiple methods registered, they can choose a "default" one, which is the one shown automatically to verify.
- Admins can request an account "reset" though, which sends an email out for confirmation similar to "forgot password"
- Email notifications are sent to the user who's account it is when:
- Adding a method to an account
- Removing a method from an account
- Using a backup/recovery code to authenticate
- Removing last method on an account also removes the recovery codes (i.e. disables MFA for that user)
- This is only possible if MFA is optional, otherwise a user must always have at least one registered method
- It is possible to 'reset' a method, i.e. re-register (in the case of lost device, etc.)
- Forgot password will require MFA before setting a new password, if MFA is set up for that user
The MFA module uses well defined interface declarations to manage the flow of data between itself and various "Methods" one may have installed for their site (currently there are only two - see WebAuthn and TOTP below).
Methods implement thier interface via React components, for which we've extracted the JavaScript Injector from the CMS to allow the use of React components between compiled bundles. This allows the MFA front end to begin the process of registration or veiification, but still allows each Method to implement it's own interface, and sill provides flexiblity to any developer who wishes to create their own Method definition (e.g. "basic math" which is used in the test suite).
- The MFA module replaces the
MemberAuthenticatorwith its own authenticator. However it still uses the same login form that is normally shown for the CMS (Security/login) and other pages. - After successfully passing the password test the user enters a "half logged in" state, which means they still cannot access the CMS.
- The MFA prompt renders (unless MFA is optional and the user has previously skpped registration)
- MFA knows whether a user needs to register a method (does not have one set) or verify themselves (using a previously registered method)
- After selecting the method (which could be automatic if there is only one to choose from) a GET request is made to "start" that methods registration - for verification the selection is skipped and the users's "default" method (configurable in the CMS) is shown.
- The method's React component is rendered, which handles the registration/verification data collection (including any extra backend API calls, etc.)
- Data from registration/verification React component is POSTed through to "finish" that method's registration/verification
- This is either successful and the user continues to the CMS, or the React component does whatever the it does for a failed state.
- Login attempts is still respected. E.g. if a memeber enters their TOTP code incorrectly 3 times in a row, they will be locked out of the CMS for 15 minutes (configurable, uses existing core functionality).
If a user does not have their "default method" available they are able to select another method of verification - e.g. backup/recovery code.
Easy one module install to provide a consistant user experience through the log in and related activities.
- Replaces all themes for the login pages (
Securitycontroller) automatically - Can set a logo to make it recognisable to the site (recommend SVG)
- Dark mode CSS (works well with SVG), fits with operating system settings (through the magic of media queries)
- Selectively disable 'screens' (routes) to enable site theme again
- Required by MFA (allows us to provide a consistent experience)
Provides additional general security features that aren't directly related to MFA
- 'sudo' mode; extra verification step in order to access sensitive or highly impacting controls of the CMS
- Require password change on next log in
Hardware tokens, such as those available from Yubikey
- Requires
gmpPHP extension
Software based, e.g. Google Authenticator, Microsoft Authenticator, Authy, etc.
- Requires a secret to be set in the environment
SS_MFA_SECRET_KEY