Jump to content

2-factor authentication module


Recommended Posts

I've been working on an experimental module set that adds 2-factor authentication to ProcessWire with the help of Steve Gibson's PPP one-time-pad system.

This is split into two modules; a CryptoPPP library that implements the otp system and a 2-factor authentication module that uses it to add 2-factor authentication to ProcessWire.

The 2-factor module adds an additional "Login Token" field to the login page into which the authenticating user will need to enter the next unused token from their one-time-pad. Pages from their pad can either be printed out in advance in a credit-card sized format (with codes being crossed out as they are used as shown here) or the required token can be sent to their registered email address so they don't need to print anything out. This second option requires a good email address be present in the user's account in order for them to be sent the token.

Email Delivery

To set up email delivery go to the 2-factor module's config page and choose "token delivery via email" and save the settings. Next, make sure that every user who will use the system has a valid email address set up in their account. Upon the first failed user login attempt, the required token will be emailed to the user’s email address and they should then be able to log in.

Printing Pages From The Pad

If you prefer to print the tokens in a handy credit-card sized format then…

  • Go to your profile screen
  • Expand the “PPP Initialisation Vector” field
  • Hit the “Show Token Cards” button to open a new browser window with the next 3 useful cards
  • Use your browser’s print option to print these out
  • Trim them to size and store

...but make sure you print these out before you enable 2-factor authentication on your account. If you cross out your used codes, you will always know which code to use when logging back in -- and if you forget, the first login attempt will fail and the token field will then prompt you with the location of the correct code to use.

Why would I ever want to use 2-factor authentication?

If your site is only for you or for people you know use good passwords then you probably never will need a 2-factor authentication system. But it has been shown that many users use passwords that are, well, rubbish not very good and having a second factor can be useful in mitigating poor passwords. As the second factor in this system comes out of a one-time-pad system (meaning it will not be reused) then having the user's password leaked or guessed should not compromise their account nor will having someone spy out the token they are using to log-in as tokens are not re-used (well, not for a very long time.)

Known Problems

  • You need to hit the save button after you install the 2-factor module to get it to remember the initial settings. (I guess I'm not setting the defaults correctly at present but pressing the button will allow you to move forward for now)
  • Uninstall of the 2-factor module leads to a lot of warnings.




  • Like 10
Link to comment
Share on other sites

This is really awesome Steve, and a great idea. Just tested out here and it works great! Thanks for your work with this module, it looks really well put together.

One question: why is CryptoPPP.module kept separate? Just wondering if this might be simpler for people to install if they could just download 1 zip (or 1 clone) and have everything needed in 1 directory. You could add CryptoPPP to your getModuleInfo 'installs' line, and have it install and/or uninstall automatically with Auth2FactorPPP (ProcessWire will do this for you have you use that 'installs' property). Though if you are planning to make other modules that use CryptoPPP, then I suppose it makes sense to keep them separate. But just wanted to check.

I would love to see this in the modules directory if you have time to add it: http://modules.processwire.com/add/ … thanks again for the great work you've done with these modules!

  • Like 1
Link to comment
Share on other sites

This is really awesome Steve, and a great idea. Just tested out here and it works great!

That's good to know Ryan, thanks for testing it.

One question: why is CryptoPPP.module kept separate? Just wondering if this might be simpler for people to install if they could just download 1 zip (or 1 clone) and have everything needed in 1 directory. You could add CryptoPPP to your getModuleInfo 'installs' line, and have it install and/or uninstall automatically with Auth2FactorPPP (ProcessWire will do this for you have you use that 'installs' property). Though if you are planning to make other modules that use CryptoPPP, then I suppose it makes sense to keep them separate. But just wanted to check.

I wasn't aware of the installs property, must have missed that from my reading of the wiki.

I separated it in case anyone else wanted to develop modules that use the PPP one-time-pad system (though I don't have any further plans to right now) and also because the code in CryptoPPP is mainly comprised of parts of existing PHP implementations of the PPP system and I wanted to able to credit those folks in the module's information. My contributions are mainly within the 2-factor authentication module.

I would love to see this in the modules directory if you have time to add it: http://modules.processwire.com/add/ … thanks again for the great work you've done with these modules!

I plan on doing that once there has been some additional testing and I've worked out the two problems I have with it at present (see the Known Problems part of the opening post.)

  • Like 1
Link to comment
Share on other sites

  • 3 weeks later...

Hello, can anybody help me work out why this module's uninstall code doesn't seem to work cleanly?

I define an array of fields that the module creates and then adds into the user template on install. However, when reversing this in the uninstall() method I get multiple errors.

I must have missed something; the uninstall seems to be doing the reverse of the install routine (to me) yet I get multiple errors saying "Unable to delete from 'field_ppp_login_enable' for field that doesn't exist in fields table" even though that field only undergoes a single delete() call -- and, unless removing() it from the template's fieldgroup also deletes it -- it should exist at the point delete() is called.


Link to comment
Share on other sites

I think I understand what's going on, though haven't stepped through the live code yet. But it looks to me like there's potentially an issue in PW's Fieldgroups::save function where it doesn't like to be called multiple times. It queues fields for removal and doesn't do the actual remove until you call Fieldgroup::save. That's what it should do. But as far as I can tell, Fieldgroups::save doesn't clear out the removal queue after it completes the save, meaning it may try to remove something that's already been removed if you are making multiple calls to it. Assuming I'm right about that, it's an easy fix to the core (and already made it locally), but for compatibility with current versions, try making this change:

after your $t->fieldgroup->save(); in uninstallField add this line:


does that fix it?

  • Like 1
Link to comment
Share on other sites

  • 5 months later...

Steve, this is a way cool Module, thanks so much :D

I am (once again (no surprises here)) a total newb at PPP so I wonder if I might ask you a quick question? I would like to

To create tokens with a format such as ‘X7gM-jA9v-KtWs’

as you say in github. Using this code

$key = CryptoPPP::genKeys();
$key = CryptoPPP::keyToTokenBlocks($key);

I am getting this sort of output


What do I need to do to adjust the number of characters and also to ensure I get codes like the example you have (ones that will be safe to use as GET variables such as X7gM-jA9v-KtWs)?

Thanks very much in advance for any comments.

PS: I have no clue how I am going to do it (yet) but I am hoping to use this as part of a verification process so when someone makes a booking, they are sent an email with a link back to example.com/check-the-email/X7gM-jA9v-KtWs and if the X7gM-jA9v-KtWs is found then we know they got the code in the first place so we are happy and can continue. I think I know the steps I want but not done the code yet; exciting!

Link to comment
Share on other sites

Hi Alan,

Try something like this...

$key = CryptoPPP::genKeys();
$key = CryptoPPP::keyToTokenBlocks($key, 4, 3, '-', CryptoPPP::DISTINCT_CHARSET);

That's off the top of my head and untested. You should get three blocks of four chars from the "Distinct charset" (which should be safe as a GET variable) with a dash between the blocks.

You can check the parameters of keyToTokenBlocks here, and here are the characters from the "distinct charset".

  • Like 1
Link to comment
Share on other sites

Hey Alan,

No probs re the docs.

Something you might want to consider: Reducing the number of characters in the output character set (by using the distinct charset) does reduce the strength of the generated token somewhat so you may want to consider increasing the length of your generated tokens to compensate for this -- maybe by using 4 runs of 4 chars.

  • Like 1
Link to comment
Share on other sites

Thanks for the tip Steve, yeah I'd already gone off like fox in a chicken coop and so far was playing with 6 6 (it's addictive just seeing those lovely long random strings) :D Doing something else right now but really looking forward to coming back to this and tackling implementing it for real.

Link to comment
Share on other sites

  • 5 months later...

Hi Steve/chums,

Sorry to type-n-go but late and wanted to ask this quickly in case it's easy (hoping ;))

I have just put a site up that was running aok here on MAMP and have hit a PHP dependency (I think) that it looks like my host does not (yet) provide but MAMP does.

When I go to a page that uses this brilliant crypto module locally, all AOK, on the host I get:

Fatal error: Call to undefined function bcmul() in /var/www/.../site/modules/CryptoPPP/CryptoPPP.module on line 78
This error message was shown because site is in debug mode ($config->debug = true; in /site/config.php). Error has been logged.

I did a phpinfo to see if bcmul is something I can turn on in php.ini but seems not.

This seems to suggest a solution.

Any pointers as how to best solve this? Thank you VERY much indeed for any help! Cheers, -Alan

Link to comment
Share on other sites

Hi Alan,

Really busy here at the moment so sorry for the brief reply but, yes, the "bc" maths functions are needed for the PPP library. I thought I had the modules check for availability of those functions when it was installed (will check later) did you clone your site to your host (in which case modules will not execute the prerequisite function availability check) or did you try installing the modules directly on the host?

Edited by netcarver
  • Like 1
Link to comment
Share on other sites

Hi Steve,

Really busy here at the moment so sorry for the brief reply

NO problem! I don't have a SLA with you :)

did you clone your site to your host (modules will not execute prerequisite code) or did you try installing the modules directly on the host?

I did clone. I will try to uninstall and reinstall and post back (but if I understand this right it won't help, but will do anyway just in case).

Thanks VERY much for replying at all when you are busy and no expectations here for any speed of next reply, thanks again! Cheers, -Alan

Link to comment
Share on other sites

Hi Steve,

Uninstall and re-install does helpfully say

Unable to install module 'CryptoPPP': bcadd not available

so I will go talk to my hoster to see if I can have this added. I am guessing they will say my PHP build is locked down and I can't (bless).

Assuming I can't, as/when you are able, do you know off hand if that idea/alt code in that link might help me? Tots understand if you have no time to answer. Cheers, -Alan

Link to comment
Share on other sites

Update: to get me out of a hole I am using an alternative solution; so no worries. All I was using CryptoPPP for was to get a lovely one-time random string (so I was not using it to do much) and my solution was the following, I needed it to provide a degree of unpredictable-ness so humans could not guess it and I needed to ensure it was unique, hence the use of a rand fn + date stamp:

// Based on http://stackoverflow.com/a/4356295/236306 plus a mod of mine, namely I tack the output of time() on the end, see inline comment below
function crypto($length = 6) {
    $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
    $randomString = '';
    for ($i = 0; $i < $length; $i++) {
        $randomString .= $characters[rand(0, strlen($characters) - 1)];
    // Right up until here the code is not mine, the line below is edited by me to tack a unix timestamp on the end
    return $randomString . time();

This returns this sort of thing each time it's run, if for example you run it once per second (which I don't):




Link to comment
Share on other sites

  • 3 years later...
  • 1 year later...
  • 2 months later...


Sorry for the slow response to this, but I just updated both the 2-Factor authentication module (for PW3+) and the CryptoPPP library module (switched it to OpenSSL.) If you still want to, try grabbing the latest version 3.1.1 and that should work under PHP 7.2.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By LuisM
      Symprowire is a PHP MVC Framework based and built on Symfony using ProcessWire 3.x as DBAL and Service-Provider
      It acts as a Drop-In Replacement Module to handle the Request/Response outside the ProcessWire Admin. Even tough Symfony or any other mature MVC Framework could be intimidating at first, Symprowire tries to abstract Configuration and Symfony Internals away as much as possible to give you a quick start and lift the heavy work for you.
      The main Goal is to give an easy path to follow an MVC Approach during development with ProcessWire and open up the available eco-system.
      You can find the GitHub Repo and more Information here: https://github.com/Luis85/symprowire
      The Symprowire Wiki https://github.com/Luis85/symprowire/wiki How to create a simple Blog with Symprowire https://github.com/Luis85/symprowire/wiki/Symprowire-Blog-Tutorial Last Update
      16.07.2021 // RC 1 v0.6.0 centralized ProcessWire access trough out the Application by wrapping to a Service https://github.com/Luis85/symprowire/releases/tag/v0.6.0-rc-1 Requirements
      PHP ^7.4 Fresh ProcessWire ^3.0.181 with a Blank Profile Composer 2 (v1 should work, not recommended) The usual Symfony Requirements Features
      Twig Dependency Injection Monolog for Symprowire Support for .env YAML Configuration Symfony Console and Console Commands Symfony Webprofiler Full ProcessWire access inside your Controller and Services Webpack Encore support Caveats
      Symfony is no small Framework and will come with a price in terms of Memory Usage and added Overhead. To give you a taste I installed Tracy Debugger alongside to compare ProcessWire profiling with the included Symfony Webprofiler

      So in a fresh install Symprowire would atleast add another 2MB of Memory usage and around 40ms in response time, should be less in production due to the added overhead of the Webprofiler in dev env
    • By FireWire
      Hello community!

      I want to share a new module I've been working on that I think could be a big boost for multi-language ProcessWire sites.

      Some background, I was looking for a way for our company website to be efficiently translated as working with human translators was pretty laborious and a lack of updating content created a divergence between languages. I, and several other devs here, have talked about translation integrations and have recognized the power that DeepL has. DeepL is an AI deep learning powered service that delivers translation quality beyond any automated service available. After access to the API was opened up to the US, I built Fluency, a DeepL translation integration for ProcessWire.
      Fluency brings automated translation to every multi-language field in the admin, and also provides a translation tool allowing the user to translate their text to any language without it being inside a template's field. With Fluency you can:
      Translate any plain textarea or text input Translate any CKEditor content (yes, with markup) Translate page names for fully localized URLs on every page Translate your in-template translation function wrapped strings Translate modules Fluency is free, and now so is DeepL
      Since this module was first built DeepL has introduced free Developer accounts that allow anyone to start using Fluency at zero cost and beginning with the version 0.3.0 release Fluency now supports free DeepL accounts. As of June 2021 DeepL supports translation to 26 languages and continues to offer more!
      Installation and usage is completely plug and play. Whether you're building a new multi-language site, need to update a site to multi-language, or simply want to stop manually translating a site and make any language a one-click deal, it could not be easier to do it. Fluency works by having you match the languages configured in ProcessWIre to DeepL's. You can have your site translating to any or all of the languages DeepL translates to in minutes (quite literally).
      Let's break out the screenshots...
      When the default language tab is shown, a message is displayed to let users know that translation is available. Clicking on each tab shows a link that says "Translate from English". Clicking it shows an animated overlay with the word "Translating..." cycling through each language and a light gradient shift. Have a CKEditor field? All good. Fluency will translated it and use DeepL's ability to translate text within HTML tags. CKEditor fields can be translated as easily and accurately as text/textarea fields.

      Repeaters and AJAX created fields also have translation enabled thanks to a JavaScript MutationObserver that searches for multi-language fields and adds translation as they're inserted into the DOM. If there's a multi-language field on the page, it will have translation added.

      Same goes for image description fields. Multi-language SEO friendly images are good to go.

      Creating a new page from one of your templates? Translate your title, and also translate your page name for native language URLs. (Not available for Russian, Chinese, or Japanese languages due to URL limitations). These can be changed in the "Settings" tab for any page as well so whether you're translating new pages or existing pages, you control the URLs everywhere.

      Language configuration pages are no different. Translate the names of your languages and search for both Site Translation Files (including all of your modules)

      Translate all of the static text in your templates as well. Notice that the placeholders are retained. DeepL is pretty good at recognizing and keeping non-translatable strings like that. If it is changed, it's easy to fix manually.

      Fluency adds a "Translate" item to the CMS header. When clicked this opens up a modal with a full translation tool that lets the user translate any language to any language. No need to leave the admin if you need to translate content from a secondary language back to the default ProcessWire language. There is also a button to get the current API usage statistics. DeepL account owners can set billing limitations via character count to control costs. This may help larger sites or sites being retrofitted keep an eye on their usage. Fluency can be used by users having roles given the fluency-translate permission.

      It couldn't be easier to add Fluency to your new or existing website. Simply add your API key and you're shown what languages are currently available for translation from/to as provided by DeepL. This list and all configuration options are taken live from the API so when DeepL releases new languages you can add them to your site without any work. No module updates, just an easy configuration. Just match the language you configured in ProcessWire to the DeepL language you want it to be associated with and you're done. Fluency also allows you to create a list of words/phrases that will not be translated which can prevent items such as brands and company names from being translated when they shouldn't

      No "translate page" - Translating multiple fields can be done by clicking multiple translation links on multiple fields at once but engineering a "one click page translate" is not feasible from a user experience standpoint. The time it takes to translate one field can be a second or two, but cumulatively that may take much longer (CKEditor fields are slower than plain text fields). There may be a workaround in the future but it isn't currently on the roadmap. No "translate site" - Same thing goes for translating an entire website at once. It would be great, but it would be a very intense process and take a very (very) long time. There may be a workaround in the future but it isn't on the roadmap. No current support for Inline CKEditor fields - Handling for CKEditor on-demand hasn't been implemented yet, this is planned for a future release though and can be done. I just forgot about it because I've never really used that feature personally.. Alpha release - This module is in alpha. Releases should be stable and usable, but there may be edge case issues. Test the module thoroughly and please report any bugs via a Github issue on the repository or respond here. Please note that the browser plugin for Grammarly conflicts with Fluency (as it does with many web applications). To address this issue it is recommended that you disable Grammarly when using Fluency, or open the admin to edit pages in a private window where Grammarly may not be loaded. This is an issue that may not have a resolution as creating a workaround may not be possible. If you have insight as to how this may be solved please visit the Github page and file a bugfix ticket.
      ProcessWire  3.0+ UIKit Admin Theme That's Fluency in a nutshell. A core effort in this module is to create it so that there is nothing DeepL related hard-coded in that would require updating it when DeepL offers new languages. I would like this to be a future-friendly module that doesn't require developer work to keep it up-to-date.
      The Module Is Free
      This is my first real module and I want to give it back to the community as thanks. This is the best CMS I've worked with (thank you Ryan & contributors) and a great community (thank you dear reader).
      DeepL Developer Accounts
      In addition to paid Pro Developer accounts, DeepL now offers no-cost free accounts. Now all ProcessWire developers and users can use Fluency at no cost.
      Learn more about free and paid accounts by visiting the DeepL website. Sign up for a Developer account, get an API key, and start using Fluency today.
      Download & Feedback
      Download the latest version here
      Github repository:
      File issues and feature requests here (your feedback and testing is greatly appreciated):
      Thank you! ¡Gracias! Ich danke Ihnen! Merci! Obrigado! Grazie! Dank u wel! Dziękuję! Спасибо! ありがとうございます! 谢谢你!

    • By tcnet
      PageViewStatistic for ProcessWire is a module to log page visits of the CMS. The records including some basic information like IP-address, browser, operating system, requested page and originate page. Please note that this module doesn't claim to be the best or most accurate.
      One of the biggest advantage is that this module doesn't require any external service like Google Analytics or similar. You don't have to modify your templates either. There is also no Javascript or image required.
      There is only one disadvantage. This module doesn't record visits if the browser loads the page from its browser cache. To prevent the browser from loading the page from its cache, add the following meta tags to the header of your page:
      <meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" /> <meta http-equiv="Pragma" content="no-cache" /> <meta http-equiv="Expires" content="0" /> How to use
      The records can be accessed via the Setup-menu of the CMS backend. The first dropdown control changes the view mode.

      Detailed records
      View mode "Detailed records" shows all visits of the selected day individually with IP-address, browser, operating system, requested page and originate page. Click the update button to see new added records.

      Cached visitor records
      View modes other than "Detailed records" are cached visitor counts which will be collected on a daily basis from the detailed records. This procedure ensures a faster display even with a large number of data records. Another advantage is that the detailed records can be deleted while the cache remains. The cache can be updated manually or automatically in a specified time period. Multiple visits from the same IP address on the same day are counted as a single visitor.

      Upgrade from older versions
      Cached visitor counts is new in version 1.0.8. If you just upgraded from an older version you might expire a delay or even an error 500 if you display cached visitor counts. The reason for this is that the cache has to be created from the records. This can take longer if your database contains many records. Sometimes it might hit the maximally execution time. Don't worry about that and keep reloading the page until the cache is completely created.
      Special Feature
      PageViewStatistic for ProcessWire can record the time a visitor viewed the page. This feature is deactivated by default. To activate open the module configuration page and activate "Record view time". If activated you will find a new column "S." in the records which means the time of view in seconds. With every page request, a Javascript code is inserted directly after the <body> tag. Every time the visitor switches to another tab or closes the tab, this script reports the number of seconds the tab was visible. The initial page request is recorded only as a hyphen (-).

      New in version 1.1.0
      A new feature comes with version 1.1.0 which offers to record user names of loggedin visitors. Just activate "Record user names" and "Record loggedin user" in the module settings.
      You can access the module settings by clicking the Configuration button at the bottom of the records page. The settings page is also available in the menu: Modules->Configure->ProcessPageViewStat.
      This module uses the IP2Location database from: http://www.ip2location.com. This database is required to obtain the country from the IP address. IP2Location updates this database at the begin of every month. The settings of ProcessPageViewStat offers the ability to automatically download the database monthly. Please note, that automatically download will not work if your webspace doesn't allow allow_url_fopen.
      This module uses DragScroll. A JavaScript available from: http://github.com/asvd/dragscroll. Dragscroll adds the ability in view mode "Day" to drag the records horizontally with the mouse pointer.
      This module uses the PHP class parseUserAgentStringClass available from: http://www.toms-world.org/blog/parseuseragentstring/. This class is required to filter out the browser type and operating system from the server request.
    • By clsource
      Inertia Adapter ProcessWire Module
      Hello! Long time no see.
      I created this module so you can use Inertia.js (https://inertiajs.com/) with ProcessWire.
      Inertia allows you to create fully client-side rendered, single-page apps, without much of the complexity that comes with modern SPAs. It does this by leveraging existing server-side frameworks.
      Inertia isn’t a framework, nor is it a replacement to your existing server-side or client-side frameworks. Rather, it’s designed to work with them. Think of Inertia as glue that connects the two. Inertia comes with three official client-side adapters (React, Vue, and Svelte).
      This is an adapter for ProcessWire. Inertia replaces PHP views altogether by returning JavaScript components from controller actions. Those components can be built with your frontend framework of choice.
      - https://github.com/joyofpw/inertia
      - https://github.com/joyofpw/inertia-svelte-mix-pw
      - https://inertiajs.com/

    • By sms77io
      Hi all,
      we made a small module for sending SMS via Sms77.io. It supports sending to one and multiple users.
      You can download it from GitHub and follow the instructions on how to install it - it is quite easy. An API key is required for sending, get yours for free @ Sms77 and receive 0,50 €.
      Hope this helps somebody and we are open for improvement suggestions!
      Best regards
  • Create New...