Taggoogle authenticator

CakeDC upgrade adds Google Authenticator

Few days of work, and almost a month of waiting. It was totally worth it. Yesterday noon, CakeDC community upgraded one of its major plugins with our Qobo patch. It allows users to enable Google Authenticator

There’s no need anymore to use ‘dev-develop’ branches in composer.

Google Authenticator in CakePHP3.x

Google Authenticator gets a new wave of interest from the web community, trying to put an extra layer on top of user authentication process. There’s a plethora of plugins and components that let you authenticate with Google, but most of them aim to OAuth and Google+ integration. Two-step auth gets aside.

I took few hours on research for the simple 2FA library available on the net and found TwoFactorAuth that already support Google URI QR-codes, that can be easily embedded into any framework/application running on PHP.

CakePHP3.x Integration

With few minor modifications it nicely got integrated into CakePHP 3.x framework. If you’re using CakePHP 3.x, you can install ‘develop’ branch, of CakeDC/Users plugin, and enable two-factor authentication with few minor modifications.

 <?php
 //config/app.php or any other config file that suites your app
 Configure::write('GoogleAuthenticator.login', true);
 /*
 some other custom configs you might need
 'GoogleAuthenticator' => [
            //enable Google Authenticator
            'login' => false,
            'issuer' => null,
            // The number of digits the resulting codes will be
            'digits' => 6,
            // The number of seconds a code will be valid
            'period' => 30,
            // The algorithm used
            'algorithm' => 'sha1',
            // QR-code provider (more on this later)
            'qrcodeprovider' => null,
            // Random Number Generator provider (more on this later)
            'rngprovider' => null,
            // Key used for encrypting the user credentials, leave this false to use Security.salt
            'encryptionKey' => false
        ],
*/
?>

When you enable it the CakeDC/Users Google Authenticator feature, upon ‘/login’ you will ll be redirected to ‘/verify’, where you should insert your verification code from the mobile app (Google Authenticator for Android).

If you’re already sharing a secret key with the website/app, you won’t have to synchronize an app with it. Otherwise, you’ll have to scan it first, as it’s described in the documentation. QR-code will appear on the ‘/verify’ action of the app.

UPD: CakeDC/Users has upgraded the plugin to 4.x version, which enables Google Authenticator in the master repo.

Base32 advantages over Base64

I stumbled upon these little facts, why engineers chose Base32 over Base64 for shared secret key:

  1. The resulting character set is all one case, beneficial when using a case-insensitive filesystem, spoken language, or human memory.
  2. The Base32 result can be used as a file name because it can not possibly contain the '/' symbol, which is the Unix path separator.
  3. To avoid similar-looking pairs of different symbols they picked an alphabet , so the strings can be accurately transcribed by hand.
  4. Base32 result excluding padding can be included in a URL without encoding any characters.

I’m sure everyone mixed 'I','B','0' and '1','8','0' in hist life.  RFC 4648 omits these symbols.

© 2018 Andy's Cave

Theme by Anders NorénUp ↑