Custom Conditions for Two-Factor Authentication

Edit this page

Custom Conditions for Two-Factor Authentication

In your application, you may have extra requirements when to perform two-factor authentication, which goes beyond what the bundle is doing automatically. In such a case you need to implement \Scheb\TwoFactorBundle\Security\TwoFactor\Condition\TwoFactorConditionInterface:

1
2
3
4
5
6
7
8
9
10
11
12
<?php

use Scheb\TwoFactorBundle\Security\TwoFactor\AuthenticationContextInterface;
use Scheb\TwoFactorBundle\Security\TwoFactor\Condition\TwoFactorConditionInterface;

class MyTwoFactorCondition implements TwoFactorConditionInterface
{
    public function shouldPerformTwoFactorAuthentication(AuthenticationContextInterface $context): bool
    {
        // Your conditions here
    }
}

Register it as a service and configure the service name:

1
2
3
# config/packages/scheb_2fa.yaml
scheb_two_factor:
    two_factor_condition: acme.custom_two_factor_condition

Bypassing Two-Factor Authentication

ℹī¸ This approach only works when you're using Symfony's authenticator-based security system.

If you simply wish to bypass 2fa for a specific authenticator, setting the TwoFactorAuthenticator::FLAG_2FA_COMPLETE attribute on the token will achieve this.

For example, if you are building a custom Authenticator this would bypass 2fa when the authenticator is used:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php

namespace Acme\Demo;

use Scheb\TwoFactorBundle\Security\Http\Authenticator\TwoFactorAuthenticator;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Http\Authenticator\AbstractAuthenticator;
use Symfony\Component\Security\Http\Authenticator\Passport\PassportInterface;

class MyAuthenticator extends AbstractAuthenticator
{
    public function createAuthenticatedToken(PassportInterface $passport, string $firewallName): TokenInterface
    {
        $token = parent::createAuthenticatedToken($passport, $firewallName);

        // Set this to bypass 2fa for this authenticator
        $token->setAttribute(TwoFactorAuthenticator::FLAG_2FA_COMPLETE, true);

        return $token;
    }

    // ...
}
This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.