I have a MODX (2.x) website with in the region of 2500-3000 users. Users can login to the website using the Login extra (Login 1.9.13-pl | MODX Extras).
As security is a continuing concern, I recently added GoogleAuthenticatorX to ensure the small number of MODX Manager user logins are protected with 2-factor authentication (GoogleAuthenticatorX 1.3.3-pl | MODX Extras). 99% of users do not have access to the Manager of course.
This extra states that it can also protect “front end login via pre-hook for “Login” extra”. However, I’m unable to find any documentation for this and am concerned it isn’t production ready or flexible enough for my needs. For example at a minimum I would require that users can setup their 2FA app (e.g. Google Authenticator) via logging into the web context. If users require access to the MODX manager to setup 2FA, that would be unacceptable. I don’t plan to enforce 2FA on all users, so it should be an optional process for those looking for more security.
My questions are:
Has anybody used GoogleAuthenticatorX to enable 2FA on their front end web logins?
Are there any other recommendations for enabling 2FA with the Login extra?
Perhaps I should be looking at third party services which could be integrated into MODX? Something which supports 2FA via mobile phone as well as authenticator app?
Thanks for your thoughts on this!