Documentation » User

6. API »

« 4. Advanced Configuration

5. Two-step Validation (with Google Authenticator)

The SonataUserBundle provides an optional layer of security by including a support for a Two-step Validation process.

When the option is enabled, the login process is done with the following workflow:

  • the user enters the login and password
  • if the user get the correct credentials, then a code validation form is displayed
  • at this point, the user must enter a time based code provided by the Google Authenticator application
  • the code is valid only once per minute

So if your login and password are compromised then the hacker must also hold your phone!

5.1. Installation

composer require sonata-project/google-authenticator

Edit the configuration file:

# config/packages/sonata_user.yaml

        enabled: true
            - ROLE_ADMIN

Also, if you want to use trusted_ip_list and forced_for_role configuration nodes for automatically setting the secret to user (secret - a connection between user and device that will scans QR-code) and showing QR-code in login form, you need to set the success handler in your firewall to, example:

# config/packages/security.yaml

        # Disabling the security for the web debug toolbar, the profiler and Assetic.
            pattern:  ^/(_(profiler|wdt)|css|images|js)/
            security: false

        # -> custom firewall for the admin area of the URL
            pattern:             /admin(.*)
            context:             user
                provider:        fos_userbundle
                login_path:      /admin/login
                use_forward:     false
                check_path:      /admin/login_check
                failure_path:    null

Then after success login, if the user needs to use 2FA and has no secret, a QR code will be shown in the login form.

Now if the User::twoStepVerificationCode property is not null, then a second form will be displayed.

Found a typo? Something is wrong in this documentation? Just fork and edit it!