Overview

This document outlines the email-based Multi-Factor Authentication (MFA) and device trust features added to the existing login system. The feature adds an additional layer of security to the login process, requiring users to verify their identity through a token sent to their registered email address, and allowing trusted devices to bypass MFA for a specified period of time.

How It Works

Configuration Parameters

To get started, simply configure the following settings in your MariaDB misc table:

• login_mfa_email: A boolean value indicating whether email-based MFA is activated (1) or not (0). Default value is 0.
• login_mfa_email_valid: An integer value representing the number of seconds the MFA link is valid for. Valid values are between 120 and 3600, with a default value of 300.
• login_mfa_trust_ttl: An integer value representing the number of days a device is trusted. Valid values are between 1 and 180 (6 months), with a default value of 180 days.

Login

Here's what happens when users log in with email-based MFA:

1. Initial Login: They enter their credentials and submit the login form.
2. Password Validation: We verify their password. If valid, we proceed to the next step.
3. MFA Token Generation: We generate a unique token using our secure algorithm. The token is set to expire after the time specified in login_mfa_email_valid (in seconds).
4. Email Notification: We send an email to their registered email address with a link to complete the MFA process.

Device Trust

When device trust is not enabled, MFA is always required when users login. When it's enabled, their devices will be remembered for a specified period and users won't need to enter MFA during this time. Here's how it works:

• Device Trust Interval: When MFA is enabled, the device is considered trusted for the interval of time specified in login_mfa_trust_ttl. During this interval, MFA is not required.
• Trust Expiration: After the trust interval expires, you'll need to enter MFA again to access your account.