Forum OpenACS Development: Multi Factor Authentication package

Collapse
1: Multi Factor Authentication package
Posted by Claudio Pasolini on 10/07/25 11:22 AM

MFA (Multi-Factor Authentication) for OpenACS

This package provides Time-based One-Time Password (TOTP) two-factor authentication (2FA) for OpenACS / NaviServer applications, compatible with Google Authenticator and similar apps (Authy, Microsoft Authenticator, FreeOTP, etc.).

It integrates seamlessly into the OpenACS authentication flow and uses the built-in ns_totp command from NaviServer and qrencode CLI via exec.

You can get the code with git clone https://github.com/claudio-48/mfa.git.

🚀 Features

  • Implements TOTP (RFC 6238) using ns_totp
  • User setup with QR code and Base32 secret
  • OTP verification with configurable time window tolerance (skew)
  • The decision to use the 2FA is left to the user, who can opt in and out at any moment
  • Optional enforcement of 2FA for all users (actually not implemented)
  • PostgreSQL schema and setup/verify pages included

Claudio

Collapse
2: Re: Multi Factor Authentication package (response to 1)
Posted by Brian Fenton on 10/08/25 04:54 PM
Congrats, Claudio. This looks super interesting.

Brian

Collapse
3: Re: Multi Factor Authentication package (response to 1)
Posted by Gustaf Neumann on 10/08/25 06:21 PM

Thank you, Claudio! This is a very nice contribution.

I've updated the docker compose instructions for gustafn/openacs:latest to include qrencode:

https://hub.docker.com/repository/docker/gustafn/openacs/general

Collapse
4: Ihave Re: Multi Factor Authentication package (response to 1)
Posted by Claudio Pasolini on 10/10/25 06:52 PM
I have implemented the optional enforcement of the MFA for all users.
The package has been tested only with Google Authenticator.

Claudio

Collapse
5: Re: Multi Factor Authentication package (response to 1)
Posted by Claudio Pasolini on 10/12/25 11:50 AM
I just made the last refinements, tested the package also with Authy and updated the repository at https://github.com/claudio-48/mfa.git.

Claudio

Collapse
6: Re: Multi Factor Authentication package (response to 5)
Posted by Claudio Pasolini on 10/14/25 12:25 PM
Added internationalization and moved sql to xql files.
Collapse
7: Re: Multi Factor Authentication package (response to 6)
Posted by Claudio Pasolini on 12/21/25 11:33 AM
The package is now in production in some of our applications. In the first, somewhat naive implementation, OTP authentication was tied to the user, while now it's tied to the session. This way, a user can log in simultaneously on multiple devices, but the OTP is always required.

Claudio