Two-Factor Authentication Pro

Two-Factor Authentication (2FA) for Dolibarr

1. Overview

Standard password authentication is no longer sufficient to protect sensitive enterprise data. This module integrates a mandatory or optional security layer into the Dolibarr login process, safeguarding the ERP/CRM against credential theft through modern Multi-Factor Authentication (MFA).

2. Key Features

Supported Authentication Methods

• TOTP (Time-Based One-Time Password): 6-digit codes valid for 30 seconds. Fully compatible with Google Authenticator, Authy, Microsoft Authenticator, 1Password, Bitwarden, Aegis, and FreeOTP.

• WebAuthn / FIDO2: Support for hardware security keys (e.g., YubiKey) and native biometric systems (Touch ID, Face ID, Windows Hello).

• Backup Codes: Generates a set of 10 single-use codes, secured via bcrypt hashing, ensuring users can regain access if they lose their primary device.

Multi-Device Management

• Users can link multiple security keys or authenticator apps to a single account.

• Dedicated self-service interface for users to add, rename, or revoke registered devices.

Enterprise-Grade Hardening

• Data Encryption: TOTP secrets are encrypted at rest in the database using the AES-256-CBC algorithm.

• Brute-Force Protection: Automatic IP lockout after 5 consecutive failed attempts within a 15-minute window.

• Anti-Replay: Immediate invalidation of a TOTP code once it has been verified.

• Audit Logging: Comprehensive tracking of login attempts, including IP addresses, timestamps, authentication methods, devices used, and outcomes.

• Application Security: Strict CSRF protection on all forms and enforcement of secure HTTP headers (X-Frame-Options, Content-Security-Policy, Cache-Control: no-store).

3. Enrollment & Administration

User Onboarding

• Automatic prompt guiding users to configure 2FA upon their first login following module activation.

• Local QR code generation to eliminate any dependency on third-party tracking APIs.

• Global enforcement capability via the MOD2FA_MANDATORY configuration constant.

Administrative Tools

• Dashboard: Real-time insights including 24-hour activity statistics, user adoption rates, and active IP blocks.

• User Management: Global overview of 2FA statuses, registered devices, and last login timestamps. Includes administrative overrides to reset 2FA, force re-enrollment, or regenerate backup codes.

• Maintenance: Built-in script to re-encrypt stored secrets in bulk when updating encryption keys.

User Interface

• Standalone login and configuration pages designed independently from Dolibarr core themes to prevent layout or contrast issues.

• Fully responsive and mobile-friendly design.

4. Installation

1. Extract the mod2fa-6.0.0.zip archive into your Dolibarr htdocs/custom/ directory.

2. Navigate to Setup > Modules/Applications > Others.

3. Enable the Mod2fa module.

4. Required database tables will initialize automatically. Users will be prompted to set up 2FA on their next login.

5. Technical Requirements

• Dolibarr: Version 14.0 or higher.

• PHP: Version 7.4 minimum (fully compatible with versions 8.0 through 8.4).

• Database: MySQL 5.7+ or MariaDB 10.3+.

• Extensions: OpenSSL extension enabled for cryptographic functions.

• Network: HTTPS is strictly required for WebAuthn/FIDO2 operations.