`

JCOGS One-Time Passwords

EE OTP provides a simple solution for Multi-Factor Authentication (MFA) for EE sites.

EE OTP modifies the EE log in process to require a user to enter a six-digit "One-Time Password" in addition to their regular log in credentials; the six-digit code is generated algorithmically from a sixteen character key which is associated with the member account.

The algorithm used by EE OTP conforms to the requirements of IETF rfc4226 allowing its OTP codes to be generated by most standard "Authenticator" apps (e.g. ).

EE OTP also allows for the OTP code to be sent to the member by email during the log in process. A later version will add support for the sending OTP codes by SMS and possibly other messaging platforms.

EE OTP uses the Member Roles system introduced in EE6 to control which site members have access to OTP, and to set whether access for a role group is optional or mandatory.

Installation

Copy the jcogs_otp folder to your system/user/addons folder and then install from the ExpressionEngine Control Panel Add-ons page.

Configuration

Configuration of the add-on is required before it can be used.

Configuration is controlled using the add-on settings page which can be accessed from the ExpressionEngine Control Panel Add-ons page.

Main Settings

Enable or disable OTP - Does what it says on the tin...

Member Role where OTP Use is Required - Choose a member role for which use of OTP will be required. If the members you want to be required to use OTP do not match a current role group perfectly, simply create a new member role and associate them with that new Role.

Member Role where OTP Use is Optional - Choose a member role for which use of OTP will be optional. If the members you want to be required to use OTP do not match a current role group perfectly, simply create a new member role and associate them with that new Role.

Email Settings

Allows you to specify which email account should be used to send the OTP emails. The emails themseleves will be sent using whatever outbound email settings are in place on the EE system, so this information is primarily for information purposes: the email credentials do not have to link to the EE server at all if you do not want them to. Some email spam checking systems will mark-down messages that contain obviously spurious email credentials, so making a sensible choice here will help ensure the OTP system works well.

Enable sending of OTPs by email - Does what it says on the tin...

Name of Email Sender - Choose the name for the email sender that will be shown when OTP code email arrives.

Email Address of Email Sender - Choose the sender's email address for the OTP code email.

Advanced Email Options

Subject line for OTP emails - The subject line of emails sent by EE-OTP always begins with the Site Label followed by whatever text is specified here. By default this additional text is set to "One-Time Password".

Email preamble - A paragraph of text that is included in the OTP code email immediately before the line containing the OTP code itself. By default this left blank.

OTP Code Prefix - Text that will immediately preceed the OTP code in the email. By default it is set to "Your OTP Code: ".

Email Closing - A paragraph of text that is included in the OTP code email immediately after the line containing the OTP code itself. By default this left blank.

Change email Reply-To settings

Allows you to specify an email account to which replies to the OTP email should be directed. If this is not specified then most email systems will direct the reply to the email address given for the sender.

Name of Reply-To Account - Choose the name for the email sender that will be shown when OTP code email arrives.

Email Address of Email Sender - Choose the sender's email address for the OTP code email.

Usage notes

Resetting the OTP Key
Each member is assigned a unique key that is used to generate and validate the OTP codes. There are three ways in which this code can be reset:

  • If the member's EE login password is changed for any reason (forced, they request etc.);
  • If the member enters invalid OTP codes more than three times in a row;
  • If the member opts to change the mode of OTP delivery (e.g. from email to authenticator).

In each case EE OTP will generate / revalidate a new OTP key for the member on their next login attempt.

Enable / Disable Add-on
When operating EE-OTP monitors several 'hooks' within the EE system so that it can detect when login events occur and to support its own operation. Due to the way EE works internally, this monitoring continues even when EE-OTP is disabled. The overhead introduced by this monitoring is by design miniscule, but if you are concerned about maximising the performance of your system then it makes sense to consider uninstalling EE-OTP if you do not plan to activate it: you can of course reinstall the add-on when it is needed.

EE Cache
EE-OTP makes use of EE's caching service to support critical parts of its operation. EE-OTP will only work correctly if your site is configured in a way that allows for the EE cache to operate. If you have a normal EE installation you will have no problems, but if you have an unusual / complex EE server setup this is something to be mindful of.

## Support Support is available from JCOGS Design via email sent to otp_addon@jcogs.net or via **@JCOGS Design** the [EE Slack discussion area](https://eecms.slack.com).

Changelog

1.0.0 (9 August 2021)
1.0.1 (11 August 2021)
1.0.2 (12 August 2021)
1.0.3 (7 October 2021)

Improvements to installer and settings methods.

1.0.4 (8 October 2021)

MSM compatible settings.