TOTP 2-factor authentication (TfaTotp)

TOTP standards for “Time-based One-Time Password”, which is an algorithm that computes a one-time password. It does this with a shared secret key and the current time.

TOTP is implemented by many mobile authenticator applications, and thus widely available and in widespread use. TOTP is supported by all of these authenticator applications (and likely others), which you can use with ProcessWire:

  • Google Authenticator (Android, iOS)
  • Microsoft Authenticator (Android, iOS)
  • 1Password (Android, iOS, Windows, Mac)
  • Authy (Android, iOS, Windows, Mac, cloud-sync)
  • LastPass Authenticator (Android, iOS, Windows, Mac, Linux, cloud-sync)

One of the nice things about TOTP is that all the applications implement the same algorithm (described in RFC 6238), and thus there is likely to be broad compatibility between them.

TOTP relies upon a long string of characters called a "secret", which is a private key that is stored server-side with the user account when enabling two-factor auth. When you use your phone and authenticator app to scan a QR code, it is sharing that secret with your phone. From that point forward, the website and phone can confirm identity with a 6-digit code that changes every 30 seconds.

What if your phone dies or gets lost? Since the private key (secret) is stored on your phone, you'd no longer have the ability to generate authentication codes. So this could be a problem, unless you've got a backup of your private key. Applications like Authy and LastPass keep that backup for you (cloud-sync). If you are using another application like Google Authenticator, you could always keep your own backup of the QR code/secret, so that you could plug it into any other phone or authentication app and continue to generate codes with it. But if you were to do that, you'd want to do so very securely, as the more copies of that secret that there are, the less secure it is.

To use TOTP two-factor authentication in ProcessWire, you must be running version 3.0.109 or newer, and you must install the TfaTotp module (link below).

Twitter updates

  • This post covers a few of the bigger updates in ProcessWire 3.0.154+3.0.155. This includes new live replacement of text in core and modules, a new method for creating canonical URLs, and some major upgrades to our input->urlSegment() method! More
    24 April 2020
  • A brief look at what's new in ProcessWire 3.0.154 in this forum post: More
    17 April 2020
  • This week we’ve got a few new and interesting core updates in progress, though none quite ready to release just yet. So rather than releasing version 3.0.154 today, I thought we'd instead take a brief look at what’s coming over the next few weeks… More
    3 April 2020

Latest news

  • ProcessWire Weekly #310
    The 310th issue of ProcessWire Weekly is going to be short and sweet: in this issue we'll walk you through the latest core updates, introduce a third party module called Twack, and check out a really gorgeous new site of the week. Read on!
    Weekly.pw / 18 April 2020
  • ProcessWire 3.0.154 and 3.0.155 core updates
    This post covers a few of the bigger updates in ProcessWire 3.0.154 and 3.0.155 on the dev branch. This includes a new function for live replacement of text in core and modules, a new method for creating canonical URLs, and some major upgrades to our $input->urlSegment() method that I think you’ll like!
    Blog / 24 April 2020
  • Subscribe to weekly ProcessWire news

“ProcessWire is like a breath of fresh air. So powerful yet simple to build with and customise, and web editors love it too.” —Margaret Chatwin, Web developer