Multi-Factor Authentication (replaces Two Factor Authentication)

administrator/components/com_admin/script.php

@@ -7809,6 +7809,8 @@ public function deleteUnexistingFiles($dryRun = false, $suppressOutput = false)
 			'/libraries/vendor/maximebf/debugbar/build',
 			// From 4.1 to 4.2.0
 			'/libraries/vendor/nyholm/psr7/doc',
+			'/plugins/twofactorauth/totp',
+			'/plugins/twofactorauth/yubikey',
 		);
 
 		$status['files_checked'] = $files;

administrator/components/com_admin/sql/updates/mysql/4.2.0-2022-05-15.sql

@@ -0,0 +1,57 @@
+--
+-- Create the new table for MFA
+--
+CREATE TABLE IF NOT EXISTS `#__user_mfa` (
+  `id` int NOT NULL AUTO_INCREMENT,
+  `user_id` int unsigned NOT NULL,
+  `title` varchar(255) NOT NULL DEFAULT '',
+  `method` varchar(100) NOT NULL,
+  `default` tinyint NOT NULL DEFAULT 0,
+  `options` mediumtext NOT NULL,
+  `created_on` datetime NOT NULL,
+  `last_used` datetime,
+  PRIMARY KEY (`id`),
+  KEY `idx_user_id` (`user_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 DEFAULT COLLATE=utf8mb4_unicode_ci COMMENT='Multi-factor Authentication settings';
+
+--
+-- Remove obsolete postinstallation message
+--
+DELETE FROM `#__postinstall_messages` WHERE `condition_file` = 'site://plugins/twofactorauth/totp/postinstall/actions.php';
+
+--
+-- Add new MFA plugins
+--
+INSERT INTO `#__extensions` (`package_id`, `name`, `type`, `element`, `folder`, `client_id`, `enabled`, `access`, `protected`, `locked`, `manifest_cache`, `params`, `custom_data`, `ordering`, `state`) VALUES
+(0, 'plg_multifactorauth_totp', 'plugin', 'totp', 'multifactorauth', 0, 0, 1, 0, 1, '', '', '', 1, 0),
+(0, 'plg_multifactorauth_yubikey', 'plugin', 'yubikey', 'multifactorauth', 0, 0, 1, 0, 1, '', '', '', 2, 0),
+(0, 'plg_multifactorauth_webauthn', 'plugin', 'webauthn', 'multifactorauth', 0, 0, 1, 0, 1, '', '', '', 3, 0),
+(0, 'plg_multifactorauth_email', 'plugin', 'email', 'multifactorauth', 0, 0, 1, 0, 1, '', '', '', 4, 0),
+(0, 'plg_multifactorauth_fixed', 'plugin', 'fixed', 'multifactorauth', 0, 0, 1, 0, 1, '', '', '', 5, 0);
+
+--
+-- Update MFA plugins' publish status
+--
+UPDATE `#__extensions` AS `a`
+	INNER JOIN `#__extensions` AS `b` on `a`.`element` = `b`.`element`
+SET `a`.enabled = `b`.enabled
+WHERE `a`.folder = 'multifactorauth'
+	AND `b`.folder = 'twofactorauth';
+
+--
+-- Remove legacy TFA plugins
+--
+DELETE FROM `#__extensions`
+WHERE `type` = 'plugin' AND `folder` = 'twofactorauth' AND `element` IN ('totp', 'yubikey');
+
+--
+-- Add post-installation message
+--
+INSERT IGNORE INTO `#__postinstall_messages` (`extension_id`, `title_key`, `description_key`, `action_key`, `language_extension`, `language_client_id`, `type`, `action_file`, `action`, `condition_file`, `condition_method`, `version_introduced`, `enabled`)
+SELECT `extension_id`, 'COM_USERS_POSTINSTALL_MULTIFACTORAUTH_TITLE', 'COM_USERS_POSTINSTALL_MULTIFACTORAUTH_BODY', 'COM_USERS_POSTINSTALL_MULTIFACTORAUTH_ACTION', 'com_users', 1, 'action', 'admin://components/com_users/postinstall/multifactorauth.php', 'com_users_postinstall_mfa_action', 'admin://components/com_users/postinstall/multifactorauth.php', 'com_users_postinstall_mfa_condition', '4.2.0', 1 FROM `#__extensions` WHERE `name` = 'files_joomla';
+
+--
+-- Create a mail template for plg_multifactorauth_email
+--
+INSERT IGNORE INTO `#__mail_templates` (`template_id`, `extension`, `language`, `subject`, `body`, `htmlbody`, `attachments`, `params`) VALUES
+('plg_multifactorauth_email.mail', 'plg_multifactorauth_email', '', 'PLG_MULTIFACTORAUTH_EMAIL_EMAIL_SUBJECT', 'PLG_MULTIFACTORAUTH_EMAIL_EMAIL_BODY', '', '', '{"tags":["code","sitename","siteurl","username","email","fullname"]}');

administrator/components/com_admin/sql/updates/postgresql/4.2.0-2022-05-15.sql

@@ -0,0 +1,63 @@
+--
+-- Create the new table for MFA
+--
+CREATE TABLE IF NOT EXISTS "#__user_mfa" (
+  "id" serial NOT NULL,
+  "user_id" bigint NOT NULL,
+  "title" varchar(255) DEFAULT '' NOT NULL,
+  "method" varchar(100) NOT NULL,
+  "default" smallint DEFAULT 0 NOT NULL,
+  "options" text NOT NULL,
+  "created_on" timestamp without time zone NOT NULL,
+  "last_used" timestamp without time zone,
+  PRIMARY KEY ("id")
+);
+
+CREATE INDEX "#__user_mfa_idx_user_id" ON "#__user_mfa" ("user_id") /** CAN FAIL **/;
+
+COMMENT ON TABLE "#__user_mfa" IS 'Multi-factor Authentication settings';
+
+--
+-- Remove obsolete postinstallation message
+--
+DELETE FROM "#__postinstall_messages" WHERE "condition_file" = 'site://plugins/twofactorauth/totp/postinstall/actions.php';
+
+--
+-- Add new MFA plugins
+--
+INSERT INTO "#__extensions" ("package_id", "name", "type", "element", "folder", "client_id", "enabled", "access", "protected", "locked", "manifest_cache", "params", "custom_data", "ordering", "state") VALUES
+(0, 'plg_multifactorauth_totp', 'plugin', 'totp', 'multifactorauth', 0, 0, 1, 0, 1, '', '', '', 1, 0),
+(0, 'plg_multifactorauth_yubikey', 'plugin', 'yubikey', 'multifactorauth', 0, 0, 1, 0, 1, '', '', '', 2, 0),
+(0, 'plg_multifactorauth_webauthn', 'plugin', 'webauthn', 'multifactorauth', 0, 0, 1, 0, 1, '', '', '', 3, 0),
+(0, 'plg_multifactorauth_email', 'plugin', 'email', 'multifactorauth', 0, 0, 1, 0, 1, '', '', '', 4, 0),
+(0, 'plg_multifactorauth_fixed', 'plugin', 'fixed', 'multifactorauth', 0, 0, 1, 0, 1, '', '', '', 5, 0);
+
+--
+-- Update MFA plugins' publish status
+--
+UPDATE "#__extensions" AS "a"
+SET "enabled" = "b"."enabled"
+FROM "#__extensions" AS "b"
+WHERE "a"."element" = "b"."element"
+	AND "a"."folder" = 'multifactorauth'
+	AND "b"."folder" = 'twofactorauth';
+
+--
+-- Remove legacy TFA plugins
+--
+DELETE FROM "#__extensions"
+WHERE "type" = 'plugin' AND "folder" = 'twofactorauth' AND "element" IN ('totp', 'yubikey');
+
+--
+-- Add post-installation message
+--
+INSERT INTO "#__postinstall_messages" ("extension_id", "title_key", "description_key", "action_key", "language_extension", "language_client_id", "type", "action_file", "action", "condition_file", "condition_method", "version_introduced", "enabled")
+SELECT "extension_id", 'COM_USERS_POSTINSTALL_MULTIFACTORAUTH_TITLE', 'COM_USERS_POSTINSTALL_MULTIFACTORAUTH_BODY', 'COM_USERS_POSTINSTALL_MULTIFACTORAUTH_ACTION', 'com_users', 1, 'action', 'admin://components/com_users/postinstall/multifactorauth.php', 'com_users_postinstall_mfa_action', 'admin://components/com_users/postinstall/multifactorauth.php', 'com_users_postinstall_mfa_condition', '4.2.0', 1 FROM "#__extensions" WHERE "name" = 'files_joomla'
+ON CONFLICT DO NOTHING;
+
+--
+-- Create a mail template for plg_multifactorauth_email
+--
+INSERT INTO "#__mail_templates" ("template_id", "extension", "language", "subject", "body", "htmlbody", "attachments", "params") VALUES
+('plg_multifactorauth_email.mail', 'plg_multifactorauth_email', '', 'PLG_MULTIFACTORAUTH_EMAIL_EMAIL_SUBJECT', 'PLG_MULTIFACTORAUTH_EMAIL_EMAIL_BODY', '', '', '{"tags":["code","sitename","siteurl","username","email","fullname"]}')
+ON CONFLICT DO NOTHING;

administrator/components/com_joomlaupdate/src/Model/UpdateModel.php

@@ -1484,7 +1484,7 @@ public function getNonCoreExtensions()
 	 *
 	 * @since   3.10.0
 	 */
-	public function getNonCorePlugins($folderFilter = ['system','user','authentication','actionlog','twofactorauth'])
+	public function getNonCorePlugins($folderFilter = ['system','user','authentication','actionlog','multifactorauth'])
 	{
 		$db    = $this->getDbo();
 		$query = $db->getQuery(true);

administrator/components/com_joomlaupdate/tmpl/update/finaliseconfirm.php

@@ -19,8 +19,6 @@
 $wa = $this->document->getWebAssetManager();
 $wa->useScript('keepalive');
 
-$twofactormethods = AuthenticationHelper::getTwoFactorMethods();
-
 ?>
 
 <div class="alert warning">
@@ -63,21 +61,6 @@
 				</div>
 			</div>
 		</div>
-		<?php if (count($twofactormethods) > 1) : ?>
-			<div class="control-group">
-				<div class="controls">
-					<div class="input-group">
-						<input name="secretkey" autocomplete="one-time-code" id="mod-login-secretkey" type="text" class="form-control" placeholder="<?php echo Text::_('JGLOBAL_SECRETKEY'); ?>" size="15">
-						<span class="input-group-text" title="<?php echo Text::_('JGLOBAL_SECRETKEY_HELP'); ?>">
-							<span class="icon-star" aria-hidden="true"></span>
-							<label for="mod-login-secretkey" class="visually-hidden">
-								<?php echo Text::_('JGLOBAL_SECRETKEY'); ?>
-							</label>
-						</span>
-					</div>
-				</div>
-			</div>
-		<?php endif; ?>
 		<div class="control-group">
 			<div class="controls">
 				<div class="btn-group">

administrator/components/com_joomlaupdate/tmpl/upload/captive.php

@@ -15,8 +15,6 @@
 use Joomla\CMS\Language\Text;
 use Joomla\CMS\Router\Route;
 
-$twofactormethods = AuthenticationHelper::getTwoFactorMethods();
-
 /** @var Joomla\CMS\WebAsset\WebAssetManager $wa */
 $wa = $this->document->getWebAssetManager();
 $wa->useScript('core')
@@ -67,21 +65,6 @@
 				</div>
 			</div>
 		</div>
-		<?php if (count($twofactormethods) > 1) : ?>
-			<div class="control-group">
-				<div class="controls">
-					<div class="input-group">
-						<input name="secretkey" autocomplete="one-time-code" id="mod-login-secretkey" type="text" class="form-control" placeholder="<?php echo Text::_('JGLOBAL_SECRETKEY'); ?>" size="15">
-						<span class="input-group-text" title="<?php echo Text::_('JGLOBAL_SECRETKEY_HELP'); ?>">
-							<span class="icon-star" aria-hidden="true"></span>
-							<label for="mod-login-secretkey" class="visually-hidden">
-								<?php echo Text::_('JGLOBAL_SECRETKEY'); ?>
-							</label>
-						</span>
-					</div>
-				</div>
-			</div>
-		<?php endif; ?>
 		<div class="control-group">
 			<div class="controls">
 				<a class="btn btn-danger" href="index.php?option=com_joomlaupdate">

administrator/components/com_users/config.xml

@@ -1,6 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <config>
 	<help key="Users:_Options"/>
+	<inlinehelp button="show"/>
 	<fieldset
 		name="user_options"
 		label="COM_USERS_CONFIG_USER_OPTIONS" >
@@ -109,33 +110,6 @@
 			<option value="0">JNO</option>
 			<option value="1">JYES</option>
 		</field>
-
-		<field
-			name="enforce_2fa_options"
-			type="list"
-			label="COM_USERS_CONFIG_FIELD_ENFORCE_2FA_FIELD_LABEL"
-			description="COM_USERS_CONFIG_FIELD_ENFORCE_2FA_FIELD_DESC"
-			default="0"
-			filter="integer"
-			validate="options"
-			>
-			<option value="0">JNO</option>
-			<option value="1">COM_USERS_CONFIG_FIELD_ENFORCE_2FA_FIELD_SITE</option>
-			<option value="2">COM_USERS_CONFIG_FIELD_ENFORCE_2FA_FIELD_ADMIN</option>
-			<option value="3">COM_USERS_CONFIG_FIELD_ENFORCE_2FA_FIELD_BOTH</option>
-		</field>
-
-		<field
-			name="enforce_2fa_usergroups"
-			type="usergrouplist"
-			label="COM_USERS_CONFIG_FIELD_ENFORCE_2FA_GROUPS_LABEL"
-			layout="joomla.form.field.list-fancy-select"
-			multiple="true"
-			filter="int_array"
-			size="10"
-			showon="enforce_2fa_options!:0"
-		/>
-
 	</fieldset>
 
 	<fieldset
@@ -238,6 +212,125 @@
 		/>
 	</fieldset>
 
+	<fieldset
+		name="multifactorauth"
+		label="COM_USERS_CONFIG_MULTIFACTORAUTH_SETTINGS_LABEL"
+		description="COM_USERS_CONFIG_MULTIFACTORAUTH_SETTINGS_DESC"
+		addfieldprefix="Joomla\Component\Users\Administrator\Field"
+	>
+		<field
+			name="allowed_positions_frontend"
+			type="modulesposition"
+			label="COM_USERS_CONFIG_ALLOWED_POSITIONS_FRONTEND_LABEL"
+			description="COM_USERS_CONFIG_ALLOWED_POSITIONS_FRONTEND_DESC"
+			default=""
+			layout="joomla.form.field.list-fancy-select"
+			client="site"
+			multiple="1"
+		/>
+
+		<field
+			name="frontend_show_title"
+			type="radio"
+			label="COM_USERS_CONFIG_FRONTEND_SHOW_TITLE_LABEL"
+			description="COM_USERS_CONFIG_FRONTEND_SHOW_TITLE_DESC"
+			layout="joomla.form.field.radio.switcher"
+			default="1"
+			>
+			<option value="0">JNO</option>
+			<option value="1">JYES</option>
+		</field>
+
+		<field
+			name="allowed_positions_backend"
+			type="modulesposition"
+			label="COM_USERS_CONFIG_ALLOWED_POSITIONS_BACKEND_LABEL"
+			description="COM_USERS_CONFIG_ALLOWED_POSITIONS_BACKEND_DESC"
+			default=""
+			layout="joomla.form.field.list-fancy-select"
+			client="administrator"
+			multiple="1"
+		/>
+
+		<field
+			name="neverMFAUserGroups"
+			type="UserGroupList"
+			label="COM_USERS_CONFIG_NEVERMFAUSERGROUPS_LABEL"
+			description="COM_USERS_CONFIG_NEVERMFAUSERGROUPS_DESC"
+			layout="joomla.form.field.list-fancy-select"
+			checksuperusergroup="1"
+			default=""
+			multiple="1"
+			>
+			<option value="0">COM_USERS_CONFIG_LBL_NOGROUP</option>
+		</field>
+
+		<field
+			name="forceMFAUserGroups"
+			type="UserGroupList"
+			label="COM_USERS_CONFIG_FORCEMFAUSERGROUPS_LABEL"
+			description="COM_USERS_CONFIG_FORCEMFAUSERGROUPS_DESC"
+			layout="joomla.form.field.list-fancy-select"
+			checksuperusergroup="1"
+			default=""
+			multiple="1"
+			>
+			<option value="0">COM_USERS_CONFIG_LBL_NOGROUP</option>
+		</field>
+
+		<field
+			name="captive_template"
+			type="templatestyle"
+			label="COM_USERS_CONFIG_FRONTEND_CAPTIVE_TEMPLATE_LABEL"
+			description="COM_USERS_CONFIG_FRONTEND_CAPTIVE_TEMPLATE_DESC"
+			client="site"
+			>
+			<option value="">JOPTION_USE_DEFAULT</option>
+		</field>
+
+		<field
+			name="mfaonsilent"
+			type="radio"
+			label="COM_USERS_CONFIG_MFAONSILENT_LABEL"
+			description="COM_USERS_CONFIG_MFAONSILENT_DESC"
+			layout="joomla.form.field.radio.switcher"
+			default="0"
+			>
+			<option value="0">JNO</option>
+			<option value="1">JYES</option>
+		</field>
+
+		<field
+			name="silentresponses"
+			type="text"
+			label="COM_USERS_CONFIG_SILENTRESPONSES_LABEL"
+			description="COM_USERS_CONFIG_SILENTRESPONSES_DESC"
+			default="cookie, passwordless"
+			showon="mfaonsilent:0"
+		/>
+
+		<field
+			name="mfaredirectonlogin"
+			type="radio"
+			label="COM_USERS_CONFIG_REDIRECTONLOGIN_LABEL"
+			description="COM_USERS_CONFIG_REDIRECTONLOGIN_DESC"
+			layout="joomla.form.field.radio.switcher"
+			default="0"
+			>
+			<option value="0">JNO</option>
+			<option value="1">JYES</option>
+		</field>
+
+		<field
+			name="mfaredirecturl"
+			type="text"
+			label="COM_USERS_CONFIG_REDIRECTURL_LABEL"
+			description="COM_USERS_CONFIG_REDIRECTURL_DESC"
+			default=""
+			showon="redirectonlogin:1"
+		/>
+	</fieldset>
+
 	<fieldset
 		name="user_notes_history"
 		label="COM_USERS_CONFIG_FIELD_NOTES_HISTORY" >

administrator/components/com_users/forms/filter_users.xml

@@ -17,6 +17,16 @@
 			>
 			<option value="">COM_USERS_FILTER_STATE</option>
 		</field>
+		<field
+			name="mfa"
+			type="list"
+			label="COM_USERS_HEADING_MFA"
+			onchange="this.form.submit();"
+			>
+			<option value="">COM_USERS_FILTER_MFA</option>
+			<option value="1">JENABLED</option>
+			<option value="0">JDISABLED</option>
+		</field>
 		<field
 			name="active"
 			type="useractive"

administrator/components/com_users/forms/user.xml

@@ -135,7 +135,6 @@
 
 	</fieldset>
 	<field name="groups" type="hidden" />
-	<field name="twofactor" type="hidden" />
 
 	<fields name="params">