This week, I worked on adding two-factor authentication support for phpMyAdmin. This is by far the most interesting feature I worked on. I never really worked keenly on the security aspect of any software. This indeed has been a very good learning experience.
Here is the process:
- Log in to your account normally.
- Access setup2FA.php. I have not figured out where to place the link which directly takes you to the page. That is more of a user-experience issue and I leave it for the team to advise me on that.
- Open Google Authenticator (or Authy or whatever you prefer). Scan the barcode with your app. It now starts generating TOTP on your app.
- Enter the TOTP in the text field and click submit. Done!!. You now have successfully added 2-factor authentication to you PMA account.
- When you log in next time, after you enter your credentials, you will be asked for TOTP.
- Enter the TOTP generated. You will not be logged in unless you clear this step. That’s it!! :D.
I am yet to add a way to delete 2-factor authentication. You can check-out the code from my branch. I will make a pull request after I add the deletion part also.
Since this is a security feature, I feel this requires thorough testing.
Special thanks to TwoFactorAuth library.
Edit: Submitted pull request – https://github.com/phpmyadmin/phpmyadmin/pull/13495