PHPackages q23/mfa-email - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. q23/mfa-email ActiveTypo3-cms-extension[Authentication & Authorization](/categories/authentication) q23/mfa-email ============= Email-based two-factor authentication for TYPO3 frontend users 00PHP Since Apr 13Pushed 1mo agoCompare [ Source](https://github.com/q23/mfa-email)[ Packagist](https://packagist.org/packages/q23/mfa-email)[ RSS](/packages/q23-mfa-email/feed)WikiDiscussions main Synced 1w ago READMEChangelogDependenciesVersions (5)Used By (0) q23\_mfa\_email — Email Two-Factor Authentication for TYPO3 =========================================================== [](#q23_mfa_email--email-two-factor-authentication-for-typo3) [![TYPO3](https://camo.githubusercontent.com/ebabe0a8105378f3f366ee2235e4dcd50a97659b62c3f6c7e7436f832f12a852/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5459504f332d31322e342d6f72616e67652e737667)](https://typo3.org)[![PHP](https://camo.githubusercontent.com/7535257ca228724c93658bd52583d4e47a9bab02c356abf6e54c1d575f2151e6/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048502d382e312532422d626c75652e737667)](https://php.net)[![License](https://camo.githubusercontent.com/36be30f8feb7f55eb28b8a3026863de08ab79c957b768d8f16009c2f5cff8830/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d47504c2d2d322e302d2d6f722d2d6c617465722d677265656e2e737667)](LICENSE)[![Packagist](https://camo.githubusercontent.com/ae7c89e6bdaf033d2568fba19906118a6ade3837b809e4c3b78b4c83817589b4/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f7132332f6d66612d656d61696c)](https://packagist.org/packages/q23/mfa-email) A TYPO3 12.4 extension that adds **email-based two-factor authentication** to the frontend login. After a user logs in with username and password, a 6-digit code is sent to their registered email address. The user must enter this code to complete login. Features -------- [](#features) - **PSR-15 middleware** — integrates cleanly into the TYPO3 request pipeline - **Global or per-user toggle** — enable for everyone or selectively per `fe_users` record - **Brute-force protection** — lockout after 5 failed attempts (15 minutes) - **Time-limited codes** — expire after 6 minutes - **Bcrypt storage** — codes are never stored in plaintext - **Single-use codes** — immediately invalidated after successful verification - **Auto-migration** — required database fields are created on first load - **Configurable branding** — site name, email subject, and signature via extension settings - **No dependencies** — uses only TYPO3 core APIs Quick Start ----------- [](#quick-start) ``` composer require q23/mfa-email ``` 1. Flush caches: **Maintenance → Flush all caches** 2. Go to **Admin Tools → Settings → Extension Configuration → q23\_mfa\_email** 3. Enable the global 2FA setting — or configure MFA per frontend user Requirements ------------ [](#requirements) - TYPO3 12.4.x - `felogin` system extension (included with TYPO3) - Working TYPO3 mail configuration (`$GLOBALS['TYPO3_CONF_VARS']['MAIL']`) Documentation ------------- [](#documentation) - [Installation](docs/installation.md) - [Configuration](docs/configuration.md) - [Security Architecture](docs/security.md) - [DSGVO / GDPR Notes](docs/dsgvo.md) How It Works ------------ [](#how-it-works) 1. User submits username and password via `felogin` 2. TYPO3's authentication middleware authenticates the credentials 3. This extension's middleware intercepts the request 4. A 6-digit code is generated, bcrypt-hashed, and stored; the plaintext code is emailed 5. The user enters the code in the verification form 6. On success: session is marked as verified, user is redirected (303) to the original page 7. The code is immediately deleted from the database Contributing ------------ [](#contributing) See [CONTRIBUTING.md](CONTRIBUTING.md). For security vulnerabilities, see [SECURITY.md](SECURITY.md) — please do not use public issues. License ------- [](#license) GPL-2.0-or-later — see [LICENSE](LICENSE). Developed by [q23.medien GmbH](https://q23.de). ### Health Score 21 — LowBetter than 18% of packages Maintenance59 Moderate activity, may be stable Popularity0 Limited adoption so far Community6 Small or concentrated contributor base Maturity17 Early-stage or recently created project Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Community Maintainers ![](https://www.gravatar.com/avatar/0b6f2f80dc30776c1299f895d40dc22ca4f1d9e6b352b15a04b73d5f9b9f4040?d=identicon)[q23](/maintainers/q23) --- Top Contributors [![A-D-E](https://avatars.githubusercontent.com/u/17427745?v=4)](https://github.com/A-D-E "A-D-E (21 commits)") ### Embed Badge ![Health badge](/badges/q23-mfa-email/health.svg) ``` [![Health](https://phpackages.com/badges/q23-mfa-email/health.svg)](https://phpackages.com/packages/q23-mfa-email) ``` ### Alternatives [kartik-v/yii2-password Useful password strength validation utilities for Yii Framework 2.0 761.2M17](/packages/kartik-v-yii2-password) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)