Great news! We developed a Two-Factor-Authentication (2FA) plugin for LimeSurvey. The purpose of this plugin is to enhance the security of your account and collected data. We will cover in this article some basics about the new 2FA plugin and how a super administrator can enforce 2FA for each LimeSurvey user.
2FA is a way to add additional security to your account. It is called "two-factor authentication" because two verification methods are used to access your account. The first "factor" is your usual password which is standard for any account. The second "factor" is a verification code retrieved from a 2FA application either from your computer or mobile device. For more details about 2FA and its importance, please visit the following article.
Setting up the 2FA
To see it at work, please create a free LimeSurvey account, access your LimeSurvey instance, and activate it from your Plugin Manager:
Once enabled, you and your users can activate it from your own personal 2FA settings. To access them, click on the “2-Factor-Settings” menu item located on the top bar and select "2FA-Setting":
On the next page, click on “Register 2FA now”:
Once done, you will be prompted by the following message box:
- Select the 2FA authentication method. By default, five different 2FA types are provided: Google Authenticator (default), Authy, YubiKey, Authenticator Plus, Duo, and HDE OTP.
- Scan the QR code with your mobile phone. For a list of application recommendations, check this article.
- Enter the confirmation key displayed in your 2FA application (by default, a six-numeric code).
Once done, click on the button "Create 2FA binding". To test it, please log out and log in again:
Congratulations! You have just enhanced the security of your LimeSurvey instance!
Enforce your 2FA
If you wish to enforce this security measure, go to Plugin Manager, and configure the 2FA system at the global level. The following page will be loaded:
Please go to the last option, enable Force 2FA, and save the changes. In this way, your users will be forced to create a 2FA key after their first login. If you have the necessary global permission, you can check under the 2FA administration panel which users are using the 2FA system (see the last column):
Deactivate or reset your 2FA
To deactivate 2FA authentication, go to your personal 2FA settings and click on "Unset 2FA": Confirm your action to delete the 2FA token associated with your account. Please note that you will need to re-authenticate again if "Force 2FA" is enabled from the plugin settings. In case you cannot log in anymore into your instance and you wish to reset your 2FA settings, contact your LimeSurvey instance super administrator to delete the 2FA token associated with your account. That way, you will be able to log in again to your account and create a new 2FA token. Try the plugin and let us know what are your thoughts. Join our forum discussion topic! We are looking forward to hearing your feedback!
Additional Information
Please note that all token authentication systems that provide time-based hash tokens work with the plugin. For more details about the plugin, please check this wiki page.