Our clients are asking us for the use of authenticator apps. We have implemented this for our non-Sphinx apps, but it would be great to be able to do this here.
MFA is now a requirement for all users of online systems to comply with the the latest version of the UK's Cyber Essentials so would be create if this could be implemented
By the way, the email that Sphinx already provides (which can also be used to send an SMS) is already sufficient for UK Cyber Essentials. Obviously people want the authenticator stuff, but to get signed off for certification you can use what is there.
@Weetch_Russell that is on our radar as well. Actually, more specifically the Webauthn standard, is that what you are looking for? A new feature request could be created so we can track. Both will be implemented.
You mean OnGenerateEmailConfirmationToken? - it's only used for email validation. I need Sphinx to be able to also do OTP as part of signon, i.e.: prompt for the name, password and then email OTP and prompt for it, before the signon is complete, as a 2nd factor authentication.
@Alexander_Pastuhov you are correct. This is a critical step for any login authentication. There should be a GenerateLoginConfirmationToken event and ideally it should also support the MFA apps (like Google Authenticate and Microsoft Authenticator). OTP is essential for Cyber Essentials certification.
@wlandgraf have I missed something in Sphinx for this? If not where are these developments in the Sphinx pipeline at the moment? If they are a long way off I think I'll need to do something as an alternative until then.
At the same time, I'd like to plug in some custom code in that prompt, which potentially can do a variety of things, like rejecting specific email addresses, or adding a TOTP prompt to the login prompt, changing layout, styling, changing favicon, adding extra text and JS, etc. But the entire form is shipped in JS, ZIP'ped into a resource, so it's hard to get to: I would need to extract it, modify and bundle it back as a resource - hardly a proper way for a Delphi developer to do things (albeit still doable). So a related request would be to externalize this form into a separate Delphi PAS/DFM, so it can be modified if need be.
Or to rephrase: if this login prompt were a normal, easily customizable Delphi form, I could just add TOTP 2FA easily enough myself. But as it stands, we have all these additional requests now...
Would also be nice to be able to use (or not) cookies to sign the user in promptlessly, ideally configurable by user (or their Group).
I.e.: Azure is normally very lax and would typically not require explicit login every time. But that's configurable and can be changed to require login more frequently, or less frequently, or every time. That's on top of 2FA, which is a separate option and can also be configured to be more or less lax.