PHPackages sandstorm/neostwofactorauthentication - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. sandstorm/neostwofactorauthentication ActiveNeos-package[Authentication & Authorization](/categories/authentication) sandstorm/neostwofactorauthentication ===================================== 2.0.0(2mo ago)1223.6k↓23.3%14[4 PRs](https://github.com/sandstorm/NeosTwoFactorAuthentication/pulls)MITPHPPHP ^8.1 Since Feb 8Pushed 1mo ago8 watchersCompare [ Source](https://github.com/sandstorm/NeosTwoFactorAuthentication)[ Packagist](https://packagist.org/packages/sandstorm/neostwofactorauthentication)[ RSS](/packages/sandstorm-neostwofactorauthentication/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (10)Dependencies (12)Versions (29)Used By (0) Neos Backend 2FA ================ [](#neos-backend-2fa) Extend the Neos backend login to support second factors. At the moment we only support TOTP tokens. Support for WebAuthn is planed! What this package does ---------------------- [](#what-this-package-does) Screen.Recording.2022-02-08.at.17.07.59.mov This package allows all users to register their personal TOTP token (Authenticator App). As an Administrator you are able to delete those token for the users again, in case they locked them self out. [![Screenshot 2022-02-08 at 17 11 01](https://user-images.githubusercontent.com/12086990/153028043-93e9220e-cc22-4879-9edb-3e156c9accc8.png)](https://user-images.githubusercontent.com/12086990/153028043-93e9220e-cc22-4879-9edb-3e156c9accc8.png) Versioning Scheme ----------------- [](#versioning-scheme) Package VersionNeos / Flow VersionReleased?SupportedRemarks2.x9.x, 8.x, 7.x✅✅`main` branch1.x9.x, 8.x, 7.x, 3.x✅Settings -------- [](#settings) ### Enforce 2FA [](#enforce-2fa) To enforce the setup and usage of 2FA you can add the following to your `Settings.yaml`. ``` Sandstorm: NeosTwoFactorAuthentication: # enforce 2FA for all users enforceTwoFactorAuthentication: true ``` With this setting, no user can login into the CMS without setting up a second factor first. In addition, you can enforce 2FA for specific authentication providers and/or roles by adding following to your `Settings.yaml` ``` Sandstorm: NeosTwoFactorAuthentication: # enforce 2FA for specific authentication providers enforce2FAForAuthenticationProviders: ["Neos.Neos:Backend"] # enforce 2FA for specific roles enforce2FAForRoles: ["Neos.Neos:Administrator"] ``` ### Issuer Naming [](#issuer-naming) To override the default sitename as issuer label, you can define one via the configuration settings: ``` Sandstorm: NeosTwoFactorAuthentication: # (optional) if set this will be used as a naming convention for the TOTP. If empty the Site name will be used issuerName: "" ``` Tested 2FA apps --------------- [](#tested-2fa-apps) Thx to @Sebobo @Benjamin-K for creating a list of supported and testet apps! **iOS**: - Google Authenticator (used for development) ✅ - Authy ✅ - Microsoft Authenticator ✅ - 1Password ✅ **Android**: - Google Authenticator ✅ - Microsoft Authenticator ✅ - Authy ✅ How we did it ------------- [](#how-we-did-it) - We introduced a new middleware `SecondFactorMiddleware` which handles 2FA on a Neos `Session` basis. - This is an overview of the checks the `SecondFactorMiddleware` does for any request: ``` ┌─────────────────────────────┐ │ Request │ └─────────────────────────────┘ ▼ ... middleware chain ... ▼ ┌─────────────────────────────┐ │ SecurityEndpointMiddleware │ └─────────────────────────────┘ ▼ ┌───────────────────────────────────────────────────────────────────┐ │ SecondFactorMiddleware │ │ │ │ ┌─────────────────────────────────────────────────────────────┐ │ │ │ 1. Skip, if no authentication tokens are present, because │ │ │ │ we're not on a secured route. │ │ │ └─────────────────────────────────────────────────────────────┘ │ │ ┌─────────────────────────────────────────────────────────────┐ │ │ │ 2. Skip, if 'Neos.Backend:Backend' authentication token not │ │ │ │ present, because we only support second factors for Neos │ │ │ │ backend. │ │ │ └─────────────────────────────────────────────────────────────┘ │ │ ┌─────────────────────────────────────────────────────────────┐ │ │ │ 3. Skip, if 'Neos.Backend:Backend' authentication token is │ │ │ │ not authenticated, because we need to be authenticated │ │ │ │ with the authentication provider of │ │ │ │ 'Neos.Backend:Backend' first. │ │ │ └─────────────────────────────────────────────────────────────┘ │ │ ┌─────────────────────────────────────────────────────────────┐ │ │ │ 4. Skip, if second factor is not set up for account and not │ │ │ │ enforced via settings. │ │ │ └─────────────────────────────────────────────────────────────┘ │ │ ┌─────────────────────────────────────────────────────────────┐ │ │ │ 5. Skip, if second factor is already authenticated. │ │ │ └─────────────────────────────────────────────────────────────┘ │ │ ┌─────────────────────────────────────────────────────────────┐ │ │ │ 6. Redirect to 2FA login, if second factor is set up for │ │ │ │ account but not authenticated. │ │ │ │ Skip, if already on 2FA login route. │ │ │ └─────────────────────────────────────────────────────────────┘ │ │ ┌─────────────────────────────────────────────────────────────┐ │ │ │ 7. Redirect to 2FA setup, if second factor is not set up for│ │ │ │ account but is enforced by system. │ │ │ │ Skip, if already on 2FA setup route. │ │ │ └─────────────────────────────────────────────────────────────┘ │ │ ┌─────────────────────────────────────────────────────────────┐ │ │ │ X. Throw an error, because any check before should have │ │ │ │ succeeded. │ │ │ └─────────────────────────────────────────────────────────────┘ │ └───────────────────────────────────────────────────────────────────┘ ▼ ... middlewares ... ``` When updating Neos, those part will likely crash: ------------------------------------------------- [](#when-updating-neos-those-part-will-likely-crash) - the login screen for the second factor is a hard copy of the login screen from the `Neos.Neos` package - just replaced the username/password form with the form for the second factor - maybe has to be replaced when neos gets updated - hopefully the rest of this package is solid enough to survive the next mayor Neos versions ;) Why not ...? ------------ [](#why-not-) ### Enhance the `UsernamePassword` authentication token [](#enhance-the-usernamepassword-authentication-token) > This actually has been the approach up until version 1.0.5. One issue with this is the fact, that we *want* the user to be logged in with that token via the `PersistedUsernamePasswordProvider`, but at the same time to *not be logged in* with that token as long as 2FA is not authenticated as well. We found it hard to find a secure way to model the 2FA setup solution when 2FA is enforced, but the user does not have a second factor enabled, yet. The middleware approach makes a clear distinction between "Logging in" and "Second Factor Authentication", while still being session based and unable to bypass. ### Set the authenticationStrategy to `allTokens` [](#set-the-authenticationstrategy-to-alltokens) The AuthenticationProviderManager requires to authorize all tokens at the same time otherwise, it will throw an Exception (see AuthenticationProviderManager Line 181 ``` if ($this->authenticationStrategy === Context::AUTHENTICATE_ALL_TOKENS) { throw new AuthenticationRequiredException('Could not authenticate all tokens, but authenticationStrategy was set to "all".', 1222203912); } ``` ) This leads to an error where the `AuthenticationProviderManager` throws exceptions before the user is able to enter any credentials. The `SecurityEntryPointMiddleware` catches those exceptions and redirects to the Neos Backend Login, which causes the same exception again. We get caught in an endless redirect. The [Neos Flow Security Documentation](https://flowframework.readthedocs.io/en/stable/TheDefinitiveGuide/PartIII/Security.html#multi-factor-authentication-strategy)suggests how to implement a multi-factor-authentication, but this method seems like it was never tested. At the moment of writing it seems like the `authenticationStrategy: allTokens` flag is broken and not usable. ### Health Score 58 — FairBetter than 98% of packages Maintenance89 Actively maintained with recent releases Popularity38 Limited adoption so far Community23 Small or concentrated contributor base Maturity68 Established project with proven stability Bus Factor2 2 contributors hold 50%+ of commits How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~93 days Recently: every ~192 days Total 17 Last Release 61d ago Major Versions 1.5.0 → 2.0.02026-03-18 PHP version history (2 changes)1.0.0PHP ^7.4 | ^8.0 2.0.0PHP ^8.1 ### Community Maintainers ![](https://www.gravatar.com/avatar/2ced0d63cfdae881c32128c7f66451a013d3e24d9eed210d6a846b6d8e95fa3b?d=identicon)[sandstorm](/maintainers/sandstorm) --- Top Contributors [![JamesAlias](https://avatars.githubusercontent.com/u/1615332?v=4)](https://github.com/JamesAlias "JamesAlias (39 commits)")[![Pingu501](https://avatars.githubusercontent.com/u/12086990?v=4)](https://github.com/Pingu501 "Pingu501 (19 commits)")[![hphoeksma](https://avatars.githubusercontent.com/u/250683?v=4)](https://github.com/hphoeksma "hphoeksma (6 commits)")[![lorenzulrich](https://avatars.githubusercontent.com/u/1816023?v=4)](https://github.com/lorenzulrich "lorenzulrich (6 commits)")[![skurfuerst](https://avatars.githubusercontent.com/u/190777?v=4)](https://github.com/skurfuerst "skurfuerst (2 commits)")[![Nickosaurus](https://avatars.githubusercontent.com/u/113518385?v=4)](https://github.com/Nickosaurus "Nickosaurus (2 commits)")[![bwaidelich](https://avatars.githubusercontent.com/u/307571?v=4)](https://github.com/bwaidelich "bwaidelich (1 commits)")[![Benjamin-K](https://avatars.githubusercontent.com/u/3098031?v=4)](https://github.com/Benjamin-K "Benjamin-K (1 commits)")[![adrian-cerdeira](https://avatars.githubusercontent.com/u/43271236?v=4)](https://github.com/adrian-cerdeira "adrian-cerdeira (1 commits)")[![on3iro](https://avatars.githubusercontent.com/u/8681413?v=4)](https://github.com/on3iro "on3iro (1 commits)")[![anothanj](https://avatars.githubusercontent.com/u/26765837?v=4)](https://github.com/anothanj "anothanj (1 commits)")[![flammel](https://avatars.githubusercontent.com/u/3888?v=4)](https://github.com/flammel "flammel (1 commits)") --- Tags 2faneosneos-cmstwo-factor-authentication ### Embed Badge ![Health badge](/badges/sandstorm-neostwofactorauthentication/health.svg) ``` [![Health](https://phpackages.com/badges/sandstorm-neostwofactorauthentication/health.svg)](https://phpackages.com/packages/sandstorm-neostwofactorauthentication) ``` ### Alternatives [scheb/2fa Two-factor authentication for Symfony applications (please use scheb/2fa-bundle to install) 578630.7k1](/packages/scheb-2fa)[neos/neos An open source Content Application Platform based on Flow. A set of core Content Management features is resting within a larger context that allows you to build a perfectly customized experience for your users. 116989.0k674](/packages/neos-neos)[scheb/2fa-google-authenticator Extends scheb/2fa-bundle with two-factor authentication using Google Authenticator 298.2M30](/packages/scheb-2fa-google-authenticator)[scheb/2fa-totp Extends scheb/2fa-bundle with two-factor authentication using TOTP 292.7M22](/packages/scheb-2fa-totp)[born05/craft-twofactorauthentication Craft 4 plugin for two-factor or two-step login using Time Based OTP. 36100.1k1](/packages/born05-craft-twofactorauthentication)[msp/twofactorauth Two Factor Authentication module for Magento2 - Member of MageSpecialist SecuritySuite 4462.1k2](/packages/msp-twofactorauth) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)