Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

OTP / 2FA in Survey

  • theendeavorist
  • theendeavorist's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
4 years 9 months ago #186497 by theendeavorist
OTP / 2FA in Survey was created by theendeavorist
Hey peeps,

I have searched the forum for an answer but couldn't find anything directly related:

The challenge for today: Is it possible to set up a 2FA/OTP (email/sms etc) in a Survey?

What I want to do is to have a survey with X questions, ending with a button which will send an One Time Password to the email address the specific survey has been sent out to. This OTP can then be entered in a field, the user click send/finish survey, the code gets validated and if correct, the Survey is finished. If the OTP is entered incorrect, the survey is not submitted.

What this solves in practice is that the person who owns the emailaddress/mailbox, needs to have access to this box. If the email/survey has been forwarded to someone else, they can't enter the OTP since it's going to the original email address for the specific survey.

Looking forward to your ideas and thanks for the feedback!
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
4 years 9 months ago #186503 by DenisChenu
Replied by DenisChenu on topic OTP / 2FA in Survey
Hi,

You must do a plugin for this

1. manual.limesurvey.org/AfterSurveyComplete to create the OTP and send the email
2. manual.limesurvey.org/NewDirectRequest to validate and show a page
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The following user(s) said Thank You: cdorin, theendeavorist
The topic has been locked.
  • Joffm
  • Joffm's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
4 years 9 months ago #186513 by Joffm
Replied by Joffm on topic OTP / 2FA in Survey
To understand correctly:
After answering the questions - but before submitting - a password is created and sent to the respondent.
On the next page the respondent has to enter this password.
If correct he is able to submit.

I did this by an ajax call like this:
Code:
<script type="text/javascript" charset="utf-8">
$(document).on('ready pjax:scriptcomplete',function(){
  $.post('https://www.myServer.de/sendCode.php' , { pw: "{e1PW}", email: "{email}" },function(data) {
 
                   $('#question{QID} input[type="text"]').val(data)
 
      });
 $('#question{QID}').hide();
  });
</script>

sendCode.php is a very simple script that only sends the code to the email address.
Like this:
Code:
$Code=$_POST['pw'];
$email=$_POST['email'];
 
$mail             = new PHPMailer();
$mail->From       = 'example@ls.org';
$mail->FromName   = 'FromName';
$mail->Subject    = 'Your Code';
$mail->MsgHTML($Code);
$mail->AddAddress( $email);
$mail->Send();

And on the next page you can do something like that:


Volunteers are not paid.
Not because they are worthless, but because they are priceless
Attachments:
The following user(s) said Thank You: theendeavorist
The topic has been locked.
  • theendeavorist
  • theendeavorist's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
4 years 8 months ago #186872 by theendeavorist
Replied by theendeavorist on topic OTP / 2FA in Survey
Excellent explanations. I will have look, thanks for all the input!
The topic has been locked.
  • theendeavorist
  • theendeavorist's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
4 years 8 months ago #186873 by theendeavorist
Replied by theendeavorist on topic OTP / 2FA in Survey
Thanks! I will have a look at these links for sure to see if I can get it up and running.
The topic has been locked.
More
4 years 8 months ago #186964 by oledole
Replied by oledole on topic OTP / 2FA in Survey
Hi. I'm working together with the Endeavorist to set this up but I'm running into some problems.

the sendCode.php script with some modifications works fine when going to its URL location to run it.

However it doesn't run when we try to run the ajax call in the survey.

How we are doing it right now:
We have a question of type short free text (code Q02).
In the source we have this code:

<script type="text/javascript" charset="utf-8">
$(document).on('ready pjax:scriptcomplete',function(){
$.post('oururl/sendCode.php' , { pw: "test", email: "ole@digitalrevisor.no" },function(data) {

$('#question{Q02} input[type="text"]').val(data)

});
$('#question{Q02}').hide();
});
</script>

Is this done right? If I understand it right the question insdie the $('#question') is the question where the code will be input. When does this script run? Is it when the question loads?

Thank you for your help.
The topic has been locked.
  • tpartner
  • tpartner's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
4 years 8 months ago #186971 by tpartner
Replied by tpartner on topic OTP / 2FA in Survey
This:
Code:
$('#question{Q02} input[type="text"]')

Should be this:
Code:
$('#question{QID} input[type="text"]')

The JavaScript will run when the page is loaded.
Cheers,
Tony Partner
Solutions, code and workarounds presented in these forums are given without any warranty, implied or otherwise.
The following user(s) said Thank You: oledole
The topic has been locked.
  • Joffm
  • Joffm's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
4 years 8 months ago - 4 years 8 months ago #186974 by Joffm
Replied by Joffm on topic OTP / 2FA in Survey
Hi, how can I know.
First question: equation "e1PW" to generate the password.
Second question: "short free text" with the script.
Third question "short free text": Please, enter the password, ...

All in one group - or not.

See here:
I got the mail


and the question
wrong:


correct:


I cannot say more. Now it's up to you.

Joffm

Okay, I see, tpartner found your problem.
And I saw, that this wasn't in the script I provided.
Remember, the curly brackets surround a Placeholder, here the questionID QID.
Volunteers are not paid.
Not because they are worthless, but because they are priceless
Attachments:
Last edit: 4 years 8 months ago by Joffm.
The following user(s) said Thank You: oledole
The topic has been locked.
More
4 years 8 months ago #187005 by oledole
Replied by oledole on topic OTP / 2FA in Survey
Hi. Thank you for your help so far.

I must be doing something wrong, because it is not working for me. I'm not very experienced in setting up surveys so perhaps I did something wrong with the questions?

Is there any chance you could provide an example survey file, so that I can see clearly how you've done it?
The topic has been locked.
  • Joffm
  • Joffm's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
4 years 8 months ago #187007 by Joffm
Replied by Joffm on topic OTP / 2FA in Survey
Better you send your example, so we may find an issue.

But here you are:

File Attachment:

File Name: limesurvey...8531.lss
File Size:17 KB


Joffm
Volunteers are not paid.
Not because they are worthless, but because they are priceless
The following user(s) said Thank You: oledole
The topic has been locked.
More
4 years 8 months ago - 4 years 8 months ago #187024 by oledole
Replied by oledole on topic OTP / 2FA in Survey
Hi.

I took a look at your file (thank you for providing it!) and saw what I did wrong. I really didn't know how to use the equation question type and I had some errors in my code. This is how it looks now:
Code:
<script type="text/javascript" charset="utf-8">
$(document).on('ready pjax:scriptcomplete',function(){
  $.post('oururl/sendCode.php' , { pw: "{e1PW}", email: "{TOKEN:EMAIL}" },function(data) {
 
                   $('#question{QID} input[type="text"]').val(data)
 
      });
 $('#question{QID}').hide();
  });
</script>

And this seems to work perfectly after multiple tests. Thank you for the help!

There is one weird thing that I don't know why is happening though. A piece of text saying "string(10) "Not Active" appears at the top of our result page (which otherwise looks normal):



Could this be because we've turned ajax mode off in our theme? We had to do this because of another plugin. Is there a way to hide this piece of text?

Thank you for your help.
Attachments:
Last edit: 4 years 8 months ago by oledole.
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
4 years 8 months ago #187033 by DenisChenu
Replied by DenisChenu on topic OTP / 2FA in Survey
Hi,

Doing it via javascript is a false good idea …

This line
Code:
$.post('https://www.eample.org/sendCode.php' , { pw: "{e1PW}", email: "{email}" },function(data) {
Are in the HTML source. Then it can be readed even without the email.

The only real secure solution is to do it in PHP only, for example

Create a hidden question with the pasword, you can use generateUniqId for example
Add a short text question at the last group
During beforeQuestionRender send the email.
During afterSurveyComplete (or beforeSurveyPage, unsure) check the validty of the answer with PHP only …
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The following user(s) said Thank You: oledole
The topic has been locked.

Lime-years ahead

Online-surveys for every purse and purpose

Pricing & Plans
Get started

Legal

About Us

Open Source