PHPackages                             cherubimro/drupal-mfa - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. cherubimro/drupal-mfa

ActiveDrupal-module[Security](/categories/security)

cherubimro/drupal-mfa
=====================

FIDO2/WebAuthn and TOTP multi-factor authentication for Drupal

v1.0.1(4mo ago)01GPL-2.0-or-laterPHPPHP &gt;=7.4

Since Feb 23Pushed 4mo agoCompare

[ Source](https://github.com/cherubimro/drupal-mfa)[ Packagist](https://packagist.org/packages/cherubimro/drupal-mfa)[ Docs](https://github.com/cherubimro/drupal-mfa)[ RSS](/packages/cherubimro-drupal-mfa/feed)WikiDiscussions main Synced today

READMEChangelogDependencies (3)Versions (3)Used By (0)

WebAuthn/TOTP Multi-Factor Authentication for Drupal 9
======================================================

[](#webauthntotp-multi-factor-authentication-for-drupal-9)

A Drupal 9 module providing FIDO2/WebAuthn security key and TOTP authenticator app support for two-factor (2FA) and multi-factor (MFA) authentication.

Features
--------

[](#features)

- **WebAuthn/FIDO2** — hardware security keys, platform authenticators, passkeys
- **TOTP** — authenticator apps (Google Authenticator, andOTP, FreeOTP, Aegis, etc.)
- **MFA mode** — require both methods when both are configured
- **2FA mode** — any single method suffices
- Per-user 2FA toggle with admin policy override (optional/required)
- 2FA gate via event subscriber — users are jailed to the verification page until all required factors are verified
- User self-service key management at `/user/{uid}/security-keys`
- Admin configuration at `/admin/config/people/webauthn`
- Clone detection for WebAuthn credentials (sign counter anomaly)
- Drupal 10/11 forward-compatible (`once()` API)

Requirements
------------

[](#requirements)

- Drupal 9.2+ (compatible with 10/11)
- PHP 7.4+
- HTTPS (required by WebAuthn browser API)

Installation
------------

[](#installation)

```
cd modules/webauthn
composer install
```

Enable the module via Drush or the admin UI:

```
drush en webauthn
```

Configuration
-------------

[](#configuration)

1. Go to `/admin/config/people/webauthn`
2. Set **Relying Party ID** — your domain (e.g. `example.com`). Must match the domain users access the site from.
3. Set **Relying Party Name** — displayed in authenticator prompts
4. Choose **Policy**:
    - `optional` — users choose whether to enable 2FA
    - `required` — all users must set up at least one 2FA method
5. Choose **Verification Mode**:
    - `any` — any single configured method clears the gate (2FA)
    - `all` — every configured method must be verified (MFA)

Architecture
------------

[](#architecture)

### Login flow

[](#login-flow)

1. User submits username/password at `/user/login`
2. `hook_form_user_login_form_alter()` replaces the submit handler
3. Custom handler checks policy and user 2FA configuration
4. If 2FA required: authenticates the user, sets `webauthn_2fa_pending` in session, redirects to `/user/webauthn-verify`
5. `WebAuthn2faSubscriber` (priority 30) blocks all routes except verify, AJAX endpoints, and logout while the flag is set
6. Verification page presents configured methods (WebAuthn, TOTP, or both)
7. On successful verification, the session flag is cleared and the user is redirected to their original destination

### MFA step tracking

[](#mfa-step-tracking)

In `all` mode, `complete2fa()` tracks completed methods in `webauthn_mfa_completed` session array. Each verification returns a partial response until all configured methods are verified. The JS handles step transitions and progress indicators.

### Services

[](#services)

ServiceClassPurpose`webauthn.manager``WebAuthnManager`FIDO2 ceremony logic, credential DB ops`webauthn.totp_manager``TotpManager`TOTP secret management, QR codes, verification`webauthn.2fa_subscriber``WebAuthn2faSubscriber`Request gate during pending 2FA### Database

[](#database)

- `webauthn_credentials` — stores WebAuthn credential public keys, metadata
- `users_data` (Drupal core) — stores per-user TOTP secrets and 2FA enabled flag

Libraries
---------

[](#libraries)

LibraryLicensePurpose[lbuchs/webauthn](https://github.com/nicoswd/webauthn) v2.2MITFIDO2/WebAuthn ceremony logic[spomky-labs/otphp](https://github.com/Spomky-Labs/otphp) v10.xMITTOTP generation and verification[chillerlan/php-qrcode](https://github.com/chillerlan/php-qrcode) v5.xMIT / Apache-2.0QR code rendering (inline SVG)File structure
--------------

[](#file-structure)

```
├── composer.json
├── config/
│   ├── install/webauthn.settings.yml
│   └── schema/webauthn.schema.yml
├── css/webauthn.css
├── js/webauthn.js
├── src/
│   ├── Controller/
│   │   ├── WebAuthnController.php        # AJAX endpoints
│   │   └── WebAuthnUserSettingsController.php
│   ├── EventSubscriber/
│   │   └── WebAuthn2faSubscriber.php     # 2FA gate
│   ├── Form/
│   │   ├── WebAuthnAdminSettingsForm.php
│   │   └── WebAuthnVerifyForm.php
│   └── Service/
│       ├── TotpManager.php
│       └── WebAuthnManager.php
├── templates/
│   ├── webauthn-user-settings.html.twig
│   └── webauthn-verify.html.twig
├── webauthn.info.yml
├── webauthn.install
├── webauthn.libraries.yml
├── webauthn.links.menu.yml
├── webauthn.links.task.yml
├── webauthn.module
├── webauthn.permissions.yml
├── webauthn.routing.yml
└── webauthn.services.yml

```

Permissions
-----------

[](#permissions)

- `administer webauthn` — access admin settings page
- `manage own security keys` — register/delete keys, configure TOTP, toggle 2FA

License
-------

[](#license)

GPL-2.0-or-later

###  Health Score

31

—

LowBetter than 66% of packages

Maintenance76

Regular maintenance activity

Popularity1

Limited adoption so far

Community6

Small or concentrated contributor base

Maturity35

Early-stage or recently created project

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~0 days

Total

2

Last Release

130d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/5915bdd98adaa3c914819ee2d5f3b64b89cfee5e5d8afaf62b4a726a5e2c36dc?d=identicon)[cherubimro](/maintainers/cherubimro)

---

Top Contributors

[![cherubimro](https://avatars.githubusercontent.com/u/64874305?v=4)](https://github.com/cherubimro "cherubimro (3 commits)")

---

Tags

totpdrupal2famoduleFIDO2webauthnyubikeyMFAsecurity-key

### Embed Badge

![Health badge](/badges/cherubimro-drupal-mfa/health.svg)

```
[![Health](https://phpackages.com/badges/cherubimro-drupal-mfa/health.svg)](https://phpackages.com/packages/cherubimro-drupal-mfa)
```

###  Alternatives

[ellaisys/aws-cognito

Laravel Authentication using AWS Cognito (Web and API)

123256.9k1](/packages/ellaisys-aws-cognito)[scheb/2fa-totp

Extends scheb/2fa-bundle with two-factor authentication using TOTP

293.3M50](/packages/scheb-2fa-totp)[mahocommerce/maho

Free and open source ecommerce platform, created in 2024 on the M1 platform, PHP 8.3+

1396.0k43](/packages/mahocommerce-maho)[firehed/webauthn

Support passkeys and Web Authentication

207.7k](/packages/firehed-webauthn)[doppar/framework

The Doppar Framework

4012.4k14](/packages/doppar-framework)[sandstorm/neostwofactorauthentication

1327.0k](/packages/sandstorm-neostwofactorauthentication)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
