Smartphones that can install TOTP apps are not ubiquitous and TFA Basic does not allow SMS to be the primary TFA method for accounts.
Allow other TFA plugins to be set as the primary validation TFA method.
None expected.
In the territory where my site is used, SMS is ubiquitous, whilst smartphones are not necessarily as common and it would be useful to set SMS as the default validation plugin, with TOTP and Recovery Codes as a fall-back.
| Comment | File | Size | Author |
|---|---|---|---|
| #13 | 2-step verification.png | 74.33 KB | scor |
| #12 | 2335063-tfa-basic-allow-sms-12.patch | 39.77 KB | coltrane |
| #11 | 2335063-tfa-basic-allow-sms-11.patch | 39.28 KB | coltrane |
| #10 | 2335063-tfa-basic-allow-sms-10.patch | 37.45 KB | coltrane |
| #6 | 2335063-tfa-basic-allow-sms-6.patch | 4.91 KB | coltrane |
Comments
Comment #1
johnkareoke commentedHave taken a look at the module code and see that this is relatively easy to change: have commented out line 404 of tfa_basic.module
Comment #2
coltraneYour approach isn't recommended, commenting out the code will mean that when you upgrade to a new TFA Basic release you'll undo your change and have to manually reset. A better approach is for the module to adapt to support your feature request. This is doable just needs a patch to the admin form and context handling.
Comment #3
subhojit777Is there any reason those values were unset.
Comment #4
subhojit777I have removed the code as said by @johncarolin in #1, and it is working alright. I mean if Twilio is selected, then TOTP becomes the fallback validation, no issues with that.
Comment #5
realkevinoshea commentedPatch worked fine for me. My use case is the same, we want to verify using SMS only because many of our users do not have smartphones.
Comment #6
coltraneThanks for the work here but #4 doesn't modify the #states logic so that Twilio config variables are required. Try this out please.
Comment #7
coltraneNeeds work to support the setup flow because TFA Basic assumes TOTP first and doesn't check for SMS or recovery codes as tfa_validate plugin.
Comment #8
coltraneUpdated issue summary to clarify the remaining work necessary to achieve the goal.
Comment #9
pjcdawkins commentedYes, I'd be interested in any way to get the setup stage working via SMS.
Comment #10
coltraneAttached patch gets the various plugins working with user setup depending on their configuration (as primary validation or fallback).
Tests pass but could use testing with SMS enabled as primary validation plugin. I was mostly testing using the Recovery codes as the validation plugin.
Note, you'll need to clear Drupal page cache after applying this patch because some menu page arguments have changed.
Comment #11
coltraneSMS works just needed some minor text updates for being the primary validation plugin.
Comment #12
coltrane#11 was missing modification to tfa_basic_context_alter for SMS being set as validation.
Comment #13
scor commentedSorry if I missed it, but it's not clear in the summary. What's the intend behavior here? Is it the site admin who is going to choose what the primary plugin (and thus required) is? The ideal behavior IMO is similar to what Google does, which is to let the user choice between SMS and TOTP for example:
Comment #14
coltraneUpdated issue summary to more clearly define the problem and proposed solution.
Comment #15
scor commentedThanks Ben. Removed duplicate image from OP.
Will the primary validation method be required for a user to be able to setup another validation method? Example: If the site admin sets SMS as primary, will the user be able to setup TOTP w/o SMS? and vice versa?
Comment #16
coltraneTFA Basic currently (and also with the latest patch) doesn't allow skipping setting up the primary method. It would make sense to allow either to be set but I'll have to think on how to adapt the setup form to handle that. Given that this patch is already kind of big I'm inclined to push that to a separate ticket.
Comment #18
coltraneCommitted #12. Per-user selection of TFA method at #2478307: Allow user to decide which method is primary