MFA Configuration

When configuring Multi-Factor Authentication (MFA) features, especially in systems that involve user authentication and data protection, encryption and salting mechanisms are critical. Two environment values are required: a secret and a salt. Both work in tandem to maintain the integrity, confidentiality, and robustness of the MFA feature, ensuring that users’ authentication processes are both secure and trustworthy.

• CYBUS_MFA_ENABLED: when set to ‘true’, the MFA feature will be enabled in general. When set to ‘false’, the MFA feature is disabled.

• CYBUS_MFA_ENCRYPTION_SECRET: the key for MFA encryption

• CYBUS_MFA_ENCRYPTION_SALT: the salt as extra layer of randomness for MFA encryption

• CYBUS_MFA_MAX_INVALID_OTPS_PER_USER: (optional) maximum number of invalid OTPs a user can enter during the MFA login flow before the account gets temporarily deactivated

• CYBUS_MFA_BAN_DURATION_MINUTES: (optional) duration in minutes for temporarily user account deactivation after failing multiple times entering invalid OTPs during MFA login flow

Note

Keep in mind that the combination of CYBUS_MFA_ENCRYPTION_SECRET and CYBUS_MFA_ENCRYPTION_SALT ensures the cryptographic robustness of 2FA tokens, making them both safe and distinct. If these values are compromised, it would expose the system to potential unauthorized access and breaches. By modifying these values, previously generated 2FA secrets became undecipherable. As a consequence, users with 2FA enabled would be unable to log in anymore.

Example configuration:

CYBUS_MFA_ENABLED=true
CYBUS_MFA_ENCRYPTION_SECRET=18473274-5073-11ee-be56-0242ac120002
CYBUS_MFA_ENCRYPTION_SALT=229c75c2-5073-11ee-be56-0242ac120002