Mandate TFA methods based on User Roles

Requirements - 

• The client required a TFA solution to secure their website and authenticate users using second-factor authentication. The site administrator was allowed to select particular 2FA methods that would be allowed depending on their roles (out of 17+ 2FA methods supported by the module), which would be available for all users to choose from during the inline registration process. 
• Additionally, the client requested a unique feature where the 2FA method displayed to the user for configuration would be dependent on their role. For example, users with the 'Manager' role should only be authenticated via Google Authenticator, while other roles should have access to different 2FA methods.
  

  ---

Challenges - 

• The main challenge faced during the project was to create a customized 2FA module that forced authenticates specific roles with specific 2FA methods. The miniOrange Drupal 2FA module already supported role-based 2FA, but it did not provide a feature where the authentication method was displayed based on the user's role during configuration. The team had to find a way to integrate this feature into the existing module without affecting its performance.
  

  ---

Implementation - 

The development team utilized the miniOrange Drupal 2FA module as a base for the custom solution, leveraging its pre-existing role-based authentication feature. The team then developed a feature customising the module allowing the site administrator to configure a list of 2FA methods that were available to users to configure 2FA based on their roles.

The module implemented TOTP methods such as Google Authenticator and email verification, along with other 2FA methods such as SMS and email authentication. The module dynamically displayed the list of allowed 2FA methods to users based on their roles. For example, if a user had the 'Manager' role, they would only be allowed to configure Google Authenticator as their 2FA method. On the other hand, a user with the ‘Developer’ role could choose from a list of available and allowed 2FA methods such as OTP over SMS and email verification.

The team also ensured that the 2FA module integrated seamlessly with the existing Drupal login flow. Users were prompted to configure their 2FA method immediately after logging in for the first time after the 2FA module is enabled. The module also enabled the site administrator to enforce 2FA authentication for all users or for users belonging to specific roles. (Role-based TFA)

In terms of security, the implementation utilized industry-standard TOTP-based 2FA methods, ensuring that user authentication was secure and resistant to phishing attacks. Additionally, the module implemented an option to allow users to reset their 2FA configuration by using a backup 2FA method of Knowledge-based Authentication(KBA), in case they lose their device or cannot access their 2FA method.

Overall, the implementation of the custom feature of the 2FA module for the client's Drupal website was successful and met all of their unique requirements. The solution ensured that the client's users could securely authenticate using 2FA methods that were appropriate for their role.

Results - 

The customized 2FA module developed by miniOrange and BT48 allowed the client to secure their website and authenticate users using second-factor authentication. Drupal's flexibility and support for custom modules made it an ideal platform for the project, while the miniOrange Drupal 2FA module provided a solid foundation for the development of the customized solution.