Learn about DokuWiki
Learn about DokuWiki
Compatible with DokuWiki
This plugin extends the plain authentification of Dokuwiki with a two-factor authentification based on the Yubikey by Yubico. A Yubikey generates a one-time password which can be checked by the servers of Yubico for validity.
You have to ensure that your PHP installation supports PEAR and curl (i.e. php-pear and php5-curl must be installed on Debian based systems). If you don't have shell access to your server, you can check via phphinfo() if these modules are installed on your system.
First of all you must set authtype to authyubikey in the Configuration Manager. Of course you can also set this parameter by editing conf/local.php or conf/local.protected.php:
$conf['authtype'] = 'authyubikey';
Then you have to set the following parameters in the plugin section of the Configuration Manager:
$conf['plugin']['authyubikey']['yubico_client_id'] = 12345; $conf['plugin']['authyubikey']['yubico_secret_key'] = 'secret_key_from_yubico'; $conf['plugin']['authyubikey']['yubico_maxkeys'] = 2;
Furthermore it is important, that every user can update his own profile. So the parameter disableactions must not contain the value profile. Alternativly, if you are using the Configuration Manager you must ensure that the checkbox Update profile of the config item disableactions is not checked.
Now the user can update his user profile and add his personal Yubikey IDs. In the Update profile form the user enters the Yubikey ID field and presses the button on the Yubikey. The first 12 characters of the generated one-time password are saved in a new configuration file conf/users.yubikeys.php. This file has the simple format
This way, a certain Yubikey is bound to a specific user login. From now on, this user can only login by giving username, password and pressing the Yubikey. A Yubikey can be deleted from the user profile by simply leave the Yubikey ID field empty in the Update profile form.
If there is no Yubikey ID saved for a user, the user can login with his username and the password. So your users can decide, if they want to secure their accounts by using a two-factor identification.