Multi-Factor Authentication — TOTP / FIDO2 / YubiKey

Protect every login — without slowing your team down.

2fabyakyras is the most complete MFA module for Dolibarr. It supports three industry-standard second factors — TOTP (Google Authenticator, Authy, FreeOTP), FIDO2/WebAuthn passkeys (Windows Hello, Touch ID, hardware keys), and YubiKey OTP — and lets each user pick what works best for them.

Why 2fabyakyras?

• Three methods, one module. TOTP, FIDO2 passkeys, YubiKey OTP. Users choose; admins control which ones are allowed.
• Granular enforcement. Require 2FA globally, per role, or per individual user — no trade-off between security and usability.
• Guided enrollment. Step-by-step onboarding with QR code, per-user recovery codes, and an admin-reset option. Fewer support tickets.
• "Remember this device." Configurable duration (default 30 days). Encrypted cookie, bound to IP and user agent, stored as a hashed token — nothing exploitable in the database.
• Audit-ready logs. Every attempt (success or failure) is logged with timestamp, IP, and user agent. Logs are paginated, searchable, and exportable. Suspicious activity triggers an email alert.

Key technical details

• TOTP secrets encrypted at rest (AES-256-CBC, unique IV per secret).
• Anti-replay protection: each TOTP code is single-use within its 30-second window.
• WebAuthn clone detection: sign_count regression triggers an automatic login rejection (W3C WebAuthn spec §7.2).
• Support for multiple WebAuthn keys per user (hardware key + platform authenticator).
• Double CSRF layer (Dolibarr native token + dedicated 2FA token), timing-safe comparisons throughout.
• Session ID rotated immediately after successful authentication.
• Secure/HttpOnly/SameSite=Strict cookies, no-store cache headers on all sensitive pages.
• YubiKey OTP validated via YubiCloud over HTTPS (HMAC-SHA1 signed, nonce-verified).
• 60+ supported locales including RTL languages (Arabic, Hebrew, Persian, Urdu).
• Compatible with Dolibarr v18 to v23.

Roles & separation of duties

Administrators manage methods, policies, and can view full audit logs — but cannot read, disable, or bypass a user's enrolled 2FA. Each user is fully in control of their own second factor.