TSphinxConfig event for OnSend2FACode

Weetch_Russell · August 2, 2024, 12:46pm

Add an event To TSphinxConfig so that a 2FA code can be emailed to the user.

wlandgraf · August 3, 2024, 12:49pm

There are a few problems with this:

Sphinx doesn't automatically generate 2fa code. It's you, the developer who does that by calling UserManager.ResetAuthenticatorKey. So no need for an event in this case.
Usually users have to confirm at least one authenticator code to enable 2fa. So receiving the secret would, ideally, still require that they input the authentication code to enable 2fa.

Weetch_Russell · August 5, 2024, 8:26am

I think I didn't express it clearly enough.

When the form form for the validation code, the one where the code from a validator app is entered, it would be useful to have an event on the server that can be used so the developer can calculate and email the required code to the user.

Although the authenticator apps are the preferred method for retrieving a code some clients want a code sent by email or sms (I am still amazed that the banks use this method, but that's people for you).

wlandgraf · August 5, 2024, 10:33am

Still currently it doesn't make much sense, as the validation code is by default valid for 30 seconds only.

Weetch_Russell · August 5, 2024, 11:33am

We have a solution in one of our webbroker apps where the user can choose the method of receiving the code - App, Email, SMS and depending on what they have selected determines how long the code is valid for, so in this example EmailValidationTime is a constant

const
  OTPValidationTime = 30;
  SMSValidationTime = 400;
  EmailValidationTime = 600;


lCode := TOTPGen.GenerateTOTP(lUser.MFAKey, EmailValidationTime);

class function TOTPGen.GenerateTOTP(const pBase32EncodedSecretKey:string; const TimeStepWindow:integer = 30; const pOutputLength:TOTPLength = TOTPLength.SixDigits):string;
begin
  Result := GenerateHOTP(pBase32EncodedSecretKey, GetCurrentUnixTimestamp(TimeStepWindow), pOutputLength);
end;

Weetch_Russell · September 2, 2025, 1:33pm

Just wanted to re-raise this as we will likely have a need for it in the near future.

Ideally the TUser entity would need a field MfaKind (mfaApp, mfaEmail, mfaSMS) and the TSphinxConfig an OnSendMFA event.

Or maybe a OnGetMFA(const TimeToLIve: integer);

Alternatively, if you can think of a work around we could do to implement this ourselves, that would be great.

Maybe another case study in the offing then

wlandgraf · September 2, 2025, 9:08pm

Ok, maybe the correct solution is to allow multiple ways for user to confirm second factor authentication.

That should not be the same code as the one from the authenticator because, as I mentioned, such code only lasts 30 seconds.

Probably we should generate a specific authenticator token for e-mail/SMS and then use it if user wants to authenticate via e-mail/SMS.

This is not rocket science but not trivial, especially because it will require significant changes in the UI, a new step in UI will be required to show the options for 2fa authentication with options like "receive code via e-mail", "use authenticator app", etc.

Topic		Replies	Views
Enable a 2FA to last for a set number of days BIZ Feature Requests sphinx	2	262	November 22, 2022
OTP For Login validation BIZ Feature Requests sphinx	3	373	July 19, 2024
OTP/MFA Implementation TMS Sphinx	20	968	February 29, 2024
TSphinxConfig.OnGenerateEmailConfirmationToken event not triggered TMS Sphinx	5	46	July 11, 2025
Sphinx 2fa usage TMS Sphinx	10	190	July 31, 2024

TSphinxConfig event for OnSend2FACode

Related topics