Installed Google Authenticator module
Installed Mobile Codes module
Configured a code for my account, scanned the code into GAuthenticator.
Went to permissions, unchecked box "Login without code" for all groups. Saved.
Logged out.

Logged in with correct username and password only. Login worked (I don't think it should, unless I'm mistaken).
Logging in with correct username and password and a bad code. Results in a form error for the code box.
Logging in with correct username, password and code. Login worked.


vangorra’s picture

Category:bug» feature
Priority:Critical» Normal

After browsing the drupal source I noticed user_access hardcodes user id 1 to have all permissions. The module works perfectly for non uid 1 users.

To solve the issue for root users (uid 1), I see two options up front:

Option 1:
Since admins are likely using this module to increase security, I would highly recommend the root account be disabled and have the username and password set to crazy random strings and only allow local logins.

Option 2:
On the root user's profile page, give them the option to "Lock my keys in the car" if you will. So the root user must use two factor authentication to login.

Honestly, I like option 2 the most as it provides lay users the possibility for secure authentication. Thoughts?

attiks’s picture

You're right, uid 1 is a special case. To force uid 1 to also use a code you have to set the variable 'ga_login_always_for_uid1' to 1

How to:

  1. drush ga_login_always_for_uid1 1
  2. add the following to settings.php
  3. <?php
    global $conf;
    $conf['ga_login_always_for_uid1'] = 1;
  4. use phpmyadmin or something similar to add it to the variable table.
attiks’s picture

Version:7.x-1.1» 7.x-1.x-dev
Status:Active» Fixed

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

dale386’s picture

The proper drush command for this is drush vset ga_login_always_for_uid1 1.