57 lines
2.6 KiB
ReStructuredText
57 lines
2.6 KiB
ReStructuredText
E-Mail as Second Factor
|
|
=======================
|
|
|
|
This plugin adds the user's e-mail account as a second authentication
|
|
factor.
|
|
|
|
After logging in through another authentication module, a one-time code
|
|
will be generated by the portal and sent to the user's e-mail address.
|
|
The user will be prompted for this code in order to finish the login
|
|
process.
|
|
|
|
|
|
.. attention::
|
|
|
|
This plugin will only improve security in situations
|
|
where the user's email is not protected by the same password used to
|
|
login on LemonLDAP::NG. And of course, if the user's email account is
|
|
also protected by LemonLDAP::NG, they will not be able to open their
|
|
mailbox to find out their one-time code.
|
|
|
|
Configuration
|
|
~~~~~~~~~~~~~
|
|
|
|
Before configuring this module, make sure the user's email address is
|
|
correctly fetched from your UserDB plugin and appears in the session
|
|
browser. If you want to store the user e-mail in a different session
|
|
field than ``mail``, go to "General Parameters » Advanced parameters »
|
|
SMTP" and set the "Session key containing mail address" parameter.
|
|
|
|
All parameters are configured in "General Parameters » Second factors »
|
|
Mail second factor".
|
|
|
|
- **Activation**: Set to ``On`` to activate this module. If a user does
|
|
not have an email address, they will encounter an error on login. If
|
|
you want to use this plugin only for users who have an email address,
|
|
use ``$mail`` (or whatever your e-mail session key is) as the
|
|
activation rule.
|
|
- **Code regex**: The regular expression used to generate one-time
|
|
codes. The default is a 6-digit code.
|
|
- **Code timeout**: It might take a while for users to open their
|
|
e-mail account and find the code. Raise this timeout if the default
|
|
(2 minutes) isn't enough.
|
|
- **Mail subject**: The subject of the email the user will receive. If
|
|
you leave it blank, it will be looked up in translation files.
|
|
- **Mail body**: The plain text content of the email the user will
|
|
receive. If you leave it blank, the ``mail_2fcode`` HTML template
|
|
will be used. The one-time code is stored in the ``$code`` variable
|
|
- **Re-send interval**: Set this to a non-empty value to allow the user to
|
|
re-send the code in case a transmission error occured. The value sets how
|
|
many seconds the user has to wait before each attempt
|
|
- **Authentication level** (Optional): if you want to overwrite the
|
|
value sent by your authentication module, you can define here the new
|
|
authentication level. Example: 5
|
|
- **Label** (Optional): label that should be displayed to the user on
|
|
the choice screen
|
|
- **Logo** (Optional): logo file *(in static/<skin> directory)*
|