MFA Configuration
Required configuration to enable the MFA feature.
When configuring Multi-Factor Authentication (MFA) features, especially in systems that involve user authentication and data protection, encryption and salting mechanisms are critical. Two environment values are required: a secret and a salt. Both work in tandem to maintain the integrity, confidentiality, and robustness of the MFA feature, ensuring that users' authentication processes are both secure and trustworthy.
CYBUS_MFA_ENABLED: when set to 'true', the MFA feature will be enabled in general. When set to 'false', the MFA feature is disabled.
CYBUS_MFA_ENCRYPTION_SECRET: the key for MFA encryption
CYBUS_MFA_ENCRYPTION_SALT: the salt as extra layer of randomness for MFA encryption
CYBUS_MFA_MAX_INVALID_OTPS_PER_USER: (optional) maximum number of invalid OTPs a user can enter during the MFA login flow before the account gets temporarily deactivated
CYBUS_MFA_BAN_DURATION_MINUTES: (optional) duration in minutes for temporarily user account deactivation after failing multiple times entering invalid OTPs during MFA login flow
Keep in mind that the combination of CYBUS_MFA_ENCRYPTION_SECRET and CYBUS_MFA_ENCRYPTION_SALT ensures the cryptographic robustness of 2FA tokens, making them both safe and distinct. If these values are compromised, it would expose the system to potential unauthorized access and breaches. By modifying these values, previously generated 2FA secrets became undecipherable. As a consequence, users with 2FA enabled would be unable to log in anymore.
Example configuration:
Related Links
Last updated