UsageLast updated: 3 October 2024

New user registration is automatic

Registration of a new user is automatically triggered when a user, who is assigned to one of the member roles set for either automatic or optional OTP usage, logs in for the first time after OTP is configured. It is a simple two-step process.

Step 1 - setup a secret code in your Authentication app

When JCOGS OTP identifies that a new user is logging in, it adds a new screen to the login process immediately after the initial user-name and password screen.

When this panel appears, and ‘authentication app’ options is enabled in OTP settings, and this option is chosen by the user, a panel showing a QR code and a 16 digit OTP key code appears. Use this information to setup a new Authentication entry in your OTP code generation application.

If email based authentication is enabled as an option and is chosen by the user, the QR code / key code will not appear - as they are not needed for email based authentication.

Step 2 - validate your OTP code generator / email process

Once the user clicks on the “Begin Validation” button, JCOGS OTP requests from the a test authentication code - either generated by their authentication app, or received via email. The code is entered into a second dialogue box that appears.

If the code entered by the user matches the one expected based on the secret OTP code given, JCOGS OTP will complete the user login process and the user will be transferred to the ExpressionEngine Control Panel home screen. 

If the code entered is incorrect, the user will be returned to the initial ExpressionEngine login screen and they can try again.

After a successful registration, the OTP code is associated with the user and will be requested during all future attempts to log into the ExpressionEngine Control Panel.

Each member is assigned a unique key that is used to generate and validate the OTP codes. There are three ways in which this code can be reset:

• If the member's EE login password is changed for any reason (forced, they request etc.);
• If the member enters invalid OTP codes more than three times in a row;
• If the member opts to change the mode of OTP delivery (e.g. from email to authenticator).

In each case EE OTP will generate / revalidate a new OTP key for the member on their next login attempt.

When operating EE-OTP monitors several 'hooks' within the EE system so that it can detect when login events occur and to support its own operation. Due to the way EE works internally, this monitoring continues even when EE-OTP is disabled. The overhead introduced by this monitoring is by design miniscule, but if you are concerned about maximising the performance of your system then it makes sense to consider uninstalling EE-OTP if you do not plan to activate it: you can of course reinstall the add-on when it is needed.

EE-OTP makes use of EE's caching service to support critical parts of its operation. EE-OTP will only work correctly if your site is configured in a way that allows for the EE cache to operate. If you have a normal EE installation you will have no problems, but if you have an unusual / complex EE server setup this is something to be mindful of.