CakeDC upgrades users plugin with Google Authenticator

Few days of work, and almost a month of waiting, but it was totally worth it. Yesterday noon, CakeDC community upgraded one of its major plugins, with our Qobo patch, that allows users to enable Google Authenticator functionality I wrote about previously. There’s no need anymore to use ‘dev-develop’ branches in composer.

 

Google Authenticator in CakePHP3.x

Google Authenticator gets a new wave of interest from the web community, trying to put an extra layer on top of user authentication process. There’s a plethora of plugins and components that let you authenticate with Google, but most of them aim to OAuth and Google+ integration. Two-step auth gets aside.

I took few hours on research for the simple 2FA library available on the net and found TwoFactorAuth that already support Google URI QR-codes, that can be easily embedded into any framework/application running on PHP.

CakePHP3.x Integration

With few minor modifications it nicely got integrated into CakePHP 3.x framework. If you’re using CakePHP 3.x, you can install ‘develop’ branch, of CakeDC/Users plugin, and enable two-factor authentication with few minor modifications.

 <?php
 //config/app.php or any other config file that suites your app
 Configure::write('GoogleAuthenticator.login', true);
 /*
 some other custom configs you might need
 'GoogleAuthenticator' => [
            //enable Google Authenticator
            'login' => false,
            'issuer' => null,
            // The number of digits the resulting codes will be
            'digits' => 6,
            // The number of seconds a code will be valid
            'period' => 30,
            // The algorithm used
            'algorithm' => 'sha1',
            // QR-code provider (more on this later)
            'qrcodeprovider' => null,
            // Random Number Generator provider (more on this later)
            'rngprovider' => null,
            // Key used for encrypting the user credentials, leave this false to use Security.salt
            'encryptionKey' => false
        ],
*/
?>

When you enable it the CakeDC/Users Google Authenticator feature, upon ‘/login’ you will ll be redirected to ‘/verify’, where you should insert your verification code from the mobile app (Google Authenticator for Android).

If you’re already sharing a secret key with the website/app, you won’t have to synchronize an app with it. Otherwise, you’ll have to scan it first, as it’s described in the documentation. QR-code will appear on the ‘/verify’ action of the app.

UPD: CakeDC/Users has upgraded the plugin to 4.x version, which enables Google Authenticator in the master repo.

Base32 advantages over Base64

While working on Google Authenticator, stumbled upon these little facts, why base32 was chosen over base64 for shared secret key:

  1. The resulting character set is all one case, which can often be beneficial when using a case-insensitive filesystem, spoken language, or human memory.
  2. The Base32 result can be used as a file name because it can not possibly contain the ‘/’ symbol, which is the Unix path separator.
  3. The alphabet can be selected to avoid similar-looking pairs of different symbols, so the strings can be accurately transcribed by hand. (For example, the RFC 4648 symbol set omits the digits for one, eight and zero, since they could be confused with the letters ‘I’, ‘B’, and ‘O’.)
  4. Base32 result excluding padding can be included in a URL without encoding any characters.