Email/SMS 2-factor authentication (TfaEmail)

This is a push-based two-factor authentication method, where it sends out an email or SMS message to you with your authentication code.

Unlike TOTP, it doesn't rely on shared secrets/keys or algorithms, and instead verifies your identity based on your access to a particular email address or phone number. Whether that's beneficial or not depends on how secure that access is.

In the case of our TfaEmail module, it actually just relies upon email. But because phone numbers you can send an SMS/text to generally have a corresponding email address, this enables you to use it as an SMS delivery method as well. For instance, here's how you can send an SMS/text to various different phone companies (let's say your phone number was 123-456-7890, below are the email addresses you would use):

  • AT&T: 1234567890@txt.att.net
  • Project Fi: 1234567890@msg.fi.google.com
  • Sprint: 1234567890@messaging.sprintpcs.com
  • T-Mobile: 1234567890@tmomail.net
  • Verizon: 1234567890@vtext.com

Those are just examples. If you don't see your provider, just google "email to SMS [provider]" and it should be easy to find. Whether using email-to-SMS is ideal for this purpose, I don't really know—I only became familiar with the universality of email-to-SMS within the last week. But I do know that I want to make a lot of two-factor authentication methods available for ProcessWire, and that any authentication that adds two-factor on top of username/password requirements is going to be a nice security improvement over authentication that lacks it.

One benefit of this push-based approach is that if someone manages to get your username and password, you'll likely find out about it pretty quickly as you'll get an email or text about it immediately. Meanwhile, the attacker won't be able to login, unless they've already managed to break into your email (or SMS if using that).

Twitter updates

  • A review of weekly core updates, plus a simple recipe for a very effective listing cache—More
    24 June 2022
  • Weekly update: Making ProcessWire render pages at old WordPress URLs (or building a simple/custom URL router in PW): More
    17 June 2022
  • New post: ProcessWire now comes with just 1 site installation profile, the "blank" profile. It makes very few assumptions, making it a minimal though excellent starting point. Here’s how you might use it— More
    10 June 2022

Latest news

  • ProcessWire Weekly #424
    In the 424th issue of ProcessWire Weekly we'll check out the latest weekly update from Ryan, introduce a new third party module, and more. Read on!
    Weekly.pw / 25 June 2022
  • Starting a site with the “blank” profile
    ProcessWire 3.0.200+ comes with just 1 site installation profile, the site-blank profile. This profile makes very few assumptions, making it a minimal though excellent starting point. Here’s how you might use it. 
    Blog / 10 June 2022
  • Subscribe to weekly ProcessWire news

“To Drupal, or to ProcessWire? The million dollar choice. We decided to make an early switch to PW. And in retrospect, ProcessWire was probably the best decision we made. Thanks are due to ProcessWire and the amazing system and set of modules that are in place.” —Unni Krishnan, Founder of PigtailPundits