MFA for your Enterprise Moodle

8 May 2020 by Andrew Boag
keys

Taking this opportunity to congratulate and thank two of our great Moodle developers, Brenden Heywood, Mikhail Golenkov and  Peter Burnett for the work that they are doing developing and releasing the Moodle Multi-Factor Authentication plugin. It's free and open source, just like a good software should be.

Wikipedia defines Multi-Factor Authentication (MFA) as:

Multi-factor authentication is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something the user and only the user knows), possession (something the user and only the user has), and inherence (something the user and only the user is).

We’ve likely all been exposed to MFA already. Whether it’s your banking login, cloud dashboard or your corporate VPN, more and more authentication gateways require more than just a login and password.

It may be implemented using a physical keyring token, a smartphone app or even using SMS messaging.

It has long been accepted that high-tier mission critical systems should require more than a login and password to access. Catalyst has seen more and more need for a higher level of security for our Enterprise Moodle clients. Our MFA Moodle plugin reduces the risk of malicious logins.

This work has been supported by some of our great government clients over 2019 and 2020. Good news is that there are discussions in play with some European Universities to sponsor further features and authentication device support.

For those clients who have rolled this out, we typically see them rolling out MFA only for admin (superusers), which the plugin supports. The plugin also lets us use network location as one of the "factors" - meaning we can specify particular network address ranges (VPN / internal network) as a requirement for some users to successfully log in. This means that while your Moodle may be available on the Internet, admin user credentials will only work from approved networks.

The most typical setup that we are seeing so far is standard TOTP using Google Authenticator or any other solution (of where there are plenty) which conforms to the open TOTP standard.

We welcome you all to download and make use of the Moodle Multi-Factor Authentication plugin! It’s free and open source, just like a good software should be.

Other Moodle plugins that you should review:

  • Admin tools: Security Questions - for password resets that requires users to answer their security questions.
  • Password Validator - password validator that improves the current Moodle plugin including all sorts of good checks. Also pings "Have I been pwned?" which means any known weak password is rejected.

References: