Copyright (C) 2021 - 2022 Jeffrey Bostoen
Need assistance with iTop or one of its extensions?
Need custom development?
Please get in touch to discuss the terms: [email protected] / https://jeffreybostoen.be
This extension was complex to develop and is now very feature rich, so this became a professional extension.
This extension makes it possible for iTop users to login in a more secure way.
After the traditional login with regular credentials, it requires a two factor code.
Users get this TOTP code from their preferred authenticator app.
The extension allows iTop administrators or users with modify rights on the Person class to enforce the use of a two factor code.
Otherwise, the use of two factor authentication remains optional.
Upon enforcement, users will be required to set up their two factor authentication after logging in with their basic plain credentials.
It should work with:
- Authy
- Authenticator extension for MS Edge, FireFox and Google Chrome
- Google Authenticator
- Microsoft Authenticator
- any generic authenticator app
It should work with typical iTop configurations: built-in iTop users (UserLocal), LDAP users (UserLDAP) and externally authenticated users (UserExternal).
Other types of users may work out of the box, but this is not guaranteed and untested.
If needed, please consult before purchasing.
The user can directly enter the two factor code when authenticating to iTop using classic credentials.
If it's the first time and two factor authentication has been enforced in the backend,
the user will have to set up a two factor code.
The secret can be updated by the user (once authenticated) in the console (classic backend)
The secret can be updated by the user (once authenticated) in the portal (modern frontend)
In the current concept (this can become more strict upon development requests!),
people with access to the person object can configure two factor authentication to be enforced.
- Send TOTP token to e-mail
- Send TOTP token to SMS services (API documentation will be requested!)
- Bypass based on HTTP header or IP ranges
- See documentation included with extension
- none yet
-
iTop 2.7 or 3.0
-
PHP 7.4 or newer
-
iTop extensions
- One two factor secret per person (even if this person has different user accounts)
XML:
- add an value to an existing dropdown list (AttributeEnum)
PHP:
- enhancing iTop's login process using available hooks
PHP 7.4 or higher
To generate QR-codes, the chillerlan/php-qrcode package is used.
The extension is also based on PHPGangsta/GoogleAuthenticator, released under a BSD-license.
It can generate secrets, generate codes, validate codes and present a QR-Code for scanning the secret.
It implements TOTP according to RFC6238. A patch has been applied to make it compatible with Authy/Microsoft Authenticator/others.
Sponsor to speed up development of these features:
- Protection against Brute Forcing MFA (time-out, lock out indefinitely, ...)
- Trusted browser
Special thanks to PC-Notdienst for sponsoring the trusted networks feature.