Multi-factor authentication

From MoodleDocs
Main pageManaging a Moodle siteAuthenticationMulti-factor authentication
Authentication

What is multi-factor authentication (MFA)?

Multi-factor authentication (MFA) is a security measure that requires users to verify their identity using two or more factors of authentication. Factors can be something users know, like a password, something they have, like a phone or security token, or something they are, like a fingerprint.

MFA helps improve security of your Moodle site because it is more difficult for attackers to compromise multiple factors.

Manage multi-factor authentication

From Site administration > Plugins > Admin tools > Manage multi-factor authentication, you can turn MFA on by checking the box MFA plugin enabled.  

If you’re configuring MFA for your site for the first time, we recommend that you check out the Recommendations and example setups to streamline the experience for your users.

Weights and factors

In Site administration > Plugins > Admin tools > Manage multi-factor authentication, you can see a list of the available factors and select the ones that make up MFA for your site.

These factors have weight points, and users have to reach 100 points in order to be able to log in. By configuring multiple factors and adjusting their weights, you can create complex and flexible rules for multi-factor authentication.

For example, you could have two factors with 100 points each, if you want to give users different methods of authentication. Or you could have two factors with 50 points each, meaning that users will have to go through both factors to be able to log in.

During the login process, factors that don't require user input, like IP address or user role, are assessed first. Then, the remaining factors are evaluated in order of weight, starting from the highest, until either the cumulative points reach the login threshold (100) or all factors have been checked and login is denied.

Available authentication factors

Standard authentication factors

These are well known, usual authentication factors used in many products and software:

Email: This factor requires users to enter a code received via email during the login process. When a user attempts to log in, the system generates a unique, temporary code and sends it to the user’s registered email address. The user must then enter this code along with their password to successfully complete the login process. This code has a limited validity period, which you can customise, ensuring that it cannot be used for unauthorised access.

Authenticator app: This factor uses a mobile application to generate a temporary code for user authentication. During the login process, Moodle prompts the user to enter a code generated by their authenticator app, in addition to their password. This code changes periodically, ensuring that it can’t be reused for unauthorised access. Users must have an app installed on their mobile device and configure this factor themselves.

Security key: This factor utilises physical hardware tokens, like USB or NFC security keys, or physical biometrics such as fingerprints. During the login process, users must physically use their security on their device to verify their identity. Users must configure this factor themselves.

IP range: This factor utilises users’ IP address to verify their identity, providing enhanced security when accessing from a trusted network. It requires no upfront setup from your users, allowing you to configure full login access on a trusted network. This factor requires no setup by your users.

SMS Mobile phone: This factor requires a mobile phone capable of receiving SMS (text) messages. During the login process, Moodle generates a unique, one-time code and sends it to the user's registered mobile phone number via SMS. The user enters this code along with their password to successfully complete the login process. Users must configure this factor themselves.

User-filtering factors

User-filtering factors are a way to easily create groups of users who will or will not be required to use multi-factor authentication (MFA).

Non administrator: This factor requires only administrators to have two or more authentication factors, while not affecting other users. It does so by giving factor points to all users who are not an administrator.

Authentication type: This factor allows certain users to skip additional authentication steps based on their authentication type. This can be useful for situations where certain authentication types, such as SAML via ADFS , already provide a high level of security, making additional authentication checks unnecessary.

Role: This factor has to be used in combination with other factors, as it allows you to specify which roles must use other factors to authenticate. For example, it enables you to require that individuals with elevated access privileges, such as managers and administrators, undergo a more stringent authentication process, while other non-specified roles such students can bypass MFA.

Cohort: This factor has to be used in combination with other factors, as it allows you to specify which cohorts must use other factors to authenticate.

User capability: This factor is similar to the Role factor, and must also be combined with other factors, as it allows you to specify which users must use other factors to authenticate. It does so by checking whether users have the capability ‘factor/capability:cannotpassfactor’ at system level. Users who do not have the capability ‘factor/capability:cannotpassfactor’ will be given points for this factor and can bypass MFA, while users with this capability will need to use another type of authentication.

For example: You assign the capability ‘factor/capability:cannotpassfactor’ to all Managers, and also enable the Email factor. When a Manager logs in, they will have to use the Email factor. But when a student tries to log in, they will not.

Since Admin users have all capabilities allowed by default, including “factor/capability:cannotpassfactor”, there’s an additional setting that will allow Admins to gain points for this factor despite having the capability.

Other factors

These factors provide additional flexibility and control over the authentication process.

Trust this device: This factor allows users to mark a device as trusted during MFA logins. Once a device is designated as trusted, users can bypass MFA for a specified period of time when logging in from that device.

To implement this feature effectively, assign a score of 100 points to this factor.

Grace period: This factor is essential when you turn on factors that require upfront setup from users, like authenticator app or security key. It allows users to log in without engaging with multi-factor authentication (MFA) for a specified time frame, providing a buffer period to complete the setup of additional authentication factors. If a user is still within their grace period upon reaching the first post-login page, regardless of whether they used grace mode as a login factor, a notification will inform them of the remaining grace period length and the potential need to set up additional factors to prevent account lockout when the grace period expires.

To implement this feature effectively, assign a score of 100 points to this factor. To receive points for this factor, there must be no other user-input factors requiring user interaction during the login process. Place this factor at the end of the list to ensure all other factors are addressed first.

If the grace period ends and users have not set up their authentication methods, they will not be able to log in to your site. You can extend the grace period to allow them to log in, or enable other factors temporarily, such as IP range or role.

No other factors: This factor allows people to log in if they have not set up any other MFA factors. For example, if you want to offer MFA to your users but not make it compulsory, give 100 points to ‘no other factors’ to allow those who don’t want to use MFA to log in to the site. Once another factor is set up for a user, they will no longer gain points for this one.

User setup

If you enable the factors Authenticator app and Security key, your users will need to configure multi-factor authentication themselves. The authentication settings can be accessed through User menu > Preferences > Multi-factor authentication preferences. There, they will be able to set up and see their authenticator apps or security keys, as well as revoke access to any factors they have configured.

Recommendations and example setups

When setting up MFA for your site, it’s important to ensure that you’re making your site more secure, but also creating a good experience for your users, including making sure that they are able to log in if they follow the right steps. Here are some recommendations to ensure that MFA is streamlined for your users:

  1. Make sure you turn on the Grace period factor when you turn on an authentication factor that requires users to configure something themselves (Authenticator app or Security key). This will give your users time to set up MFA before they are required to use it.
  2. If you don’t want to make MFA mandatory, enable No other factors. This will allow users with no other factors to log in using only their password.
  3. IP range factor is a very straightforward authentication method if all your users are using the same network. Once users are logged in using this factor, you can allow them to set up additional factors, such as an authenticator app, and then use those other factors to log in when not on your secure network.
  4. The SMS mobile phone factor relies on Amazon Simple Notification Service (SNS) for the delivery of secure and efficient SMS messages.

Example setups

These are some examples of common MFA setups to increase the security of your Moodle site.

a) Email verification

  1. Enable MFA.
  2. Turn on factor Email and give it 100 points.
  3. You can turn on Trust your device to allow your users to bypass MFA for a specified period of time after they have verified it with MFA for the first time.
  4. Let your users know that email verification is now enabled. Next time your users try to log in, they will see a message that asks them to check their email and enter a code that has been sent there.


b) Authenticator app

  1. Enable MFA.
  2. Turn on the factor Grace period and give it 100 points. This will allow your users a period of time to set up their authenticator apps and prevent them from being locked out of your site. Use the Grace period warning banner to let your users know that MFA will be enabled soon and encourages them to set up their authenticator app.
  3. Turn on the factor Authenticator app and give it 100 points.
  4. You can turn on Trust your device to allow your users to bypass MFA for a specified period of time after they have verified it with MFA for the first time.


c) Email OR authenticator app

  1. Enable MFA.
  2. Turn on the factor Email and give it 100 points.
  3. Turn on the factor Grace period and give it 100 points. This will allow your users a period of time to set up their authenticator apps and prevent them from being locked out of your site. Use the Grace period warning banner to let your users know that MFA will be enabled soon and encourages them to set up their authenticator app.
  4. Turn on the factor Authenticator app and give it 100 points.
  5. You can turn on Trust your device to allow your users to bypass MFA for a specified period of time after they have verified it with MFA for the first time.


d) Email AND authenticator app

  1. Enable MFA.
  2. Turn on the factor Email and give it 50 points.
  3. Turn on the factor Grace period and give it 100 points. This will allow your users a period of time to set up their authenticator apps and prevent them from being locked out of your site. Use the Grace period warning banner to let your users know that MFA will be enabled soon and encourages them to set up their authenticator app.
  4. Turn on the factor Authenticator app and give it 50 points. Users will have to pass both factors to get to 100 points and be able to log in.
  5. You can turn on Trust your device to allow your users to bypass MFA for a specified period of time after they have verified it with MFA for the first time.


e) SMS Mobile phone:

  1. Enable MFA.
  2. Turn on the SMS Mobile phone and give it 100 points.
  3. Configure your Amazon SNS for SMS Authentication following the AWS SNS Documentation.
  4. Add your Key and Secret codes to the SMS Mobile phone settings in Moodle.
  5. Inform your users that SMS mobile phone verification is now activated. During their next login, they can proceed to set up SMS mobile phone authentication in the user profile preferences page.
  6. You can turn on Trust your device to allow your users to bypass MFA for a specified period of time after they have verified it with MFA for the first time.

Summary of good conditions for login

Here are listed the factors selected and their total weighting, adding up to 100.

General MFA settings

  • The MFA plugin enabled box should be checked for MFA to work.
  • From this section you can add any relative URL from the siteroot for which the MFA check will not redirect from
  • Links to any guidance pages or files may be uploaded here.

Admin locked out of site - how to resolve

Be careful as an administrator when configuring and testing the factors that you do not lock yourself out of the site. If you do then MFA can be disable from the command line by entering: 

: php admin/cli/cfg.php --component=tool_mfa --name=enabled --set=0

See also

All factor report

Retrieved from "https://docs.moodle.org/403/en/index.php?title=Multi-factor_authentication&oldid=148015"
Powered by MediaWiki