[Neos] Implementing an own authentication provider?

[Torben Hansen]

Hi all,

I'm trying to extend the Neos backend login with a two-factor authentication. I thought, I could just create a new authentication provider and authentication token and add the provider to the settings.yaml, but obviously I'm missing something.

My first problem is, when I install the package with my authentication provider to my Neos site and set "authenticationStrategy: allTokens" in TYPO3.Flow.security.authentication, I end up in a redirection loop to the Neos login form.

When I set "authenticationStrategy: atLeastOneToken", then the login form is displayed and the new authentication provider seems to work (I could see, that my token input was parsed in the Neos security log). But that is actually not what I want, since both tokens need to be checked and valid.

My second problem is more general, since I'm unsure how to implement the two-factor authentication in the Neos authentication process. I could imagine two scenarios.

Scenario 1

1. Neos username/password login (Typo3BackendProvider - entryPoint: 'WebRedirect')
2. My 2FA Form (My2FAProvider - entryPoint: 'WebRedirect')

For this scenario, I could display the 2FA form after the username/password form. But - I'm really not sure if this is possible at all, since the authentication process would be interrupted by the 2FA form.

Scenario 2 

1. Extend Neos username/password login with 2FA field

This is the scenario I'm running into problems right now. I just added my 2FA field to the default Neos login template and here I run into the redirection-problems as soon as I set the authentication strategy as described above. Also here, I'm not sure if this is the way to go if I want to add 2FA to the Neos login. Is there an easy way to override the Neos Login form from my package?

It would be great if someone could give me some assistance or point me in the right direction.

Best regards
Torben