New Features in WoltLab Suite 5.4: Sessions and Multi-Factor Authentication

Photo by roberto monterola jr. on Unsplash

A major focus during the development of WoltLab Suite 5.4 was the sensible technical revision of individual components that have become somewhat outdated in the meantime. The first of these is the overhaul of the session system, which we would like to discuss in more detail in this article.

Overhaul of the Session System

The session system is ubiquitous and is the basis for interacting with features, such as signing in or managing quotes. With WoltLab Suite 5.4, we have extensively revised this system to further improve comfort and security. Sessions no longer expire during normal use but are intelligently renewed while maintaining an improved level of security. With optional multi-factor authentication, we have also created the native ability to dramatically improve user account security.

Better Multi-device Management

Sessions on different devices (such as desktop or smartphone) are now strictly separated. A new area in the control center lets users view the list of active sessions on their account and terminate individual sessions as needed.

List of the active sessions

More User-friendly Access to the Admin Panel

The frontend and the admin panel will share a session in the future. Therefore, only a re-authentication (re-entering the password) is required to access the admin panel.

Re-authentication to access the admin panel

Multi-factor Authentication

Building on the overhaul of the session system, there is also the option to set up multi-factor authentication for a user account to increase the security of the account. With multi-factor authentication, the user must provide another authentication feature in addition to the password to successfully complete the login process to an account. For this purpose, WoltLab Suite 5.4 offers several methods to choose from:

Time-based One-time Password („TOTP“)

With the time-based one-time password algorithm, time-limited one-time passwords are generated for authentication. This can be done, for example, with the help of the smartphone app "Google Authenticator". The TOTP method is the most common method for multi-factor authentication and is therefore probably already known to the user from other platforms.

Setup of the TOTP method

Email ("Device Confirmation")

With this method, when logging in, the user receives an email at the address stored in the account, which contains a one-time code that must be entered in addition to the password in order to complete the login process.

Device confirmation example

WebAuthn

WebAuthn enables authentication based on factors such as biometric features (e.g. fingerprint sensors) or hardware tokens (e.g. USB). Authentication based on WebAuthn will be offered by us as part of a separate plugin.

Setup of the WebAuthn method

Emergency Codes

In addition, the system provides emergency codes in case the user has lost access to the stored method, for example, due to the loss of the smartphone.

List of emergency codes

Furthermore, the system is implemented flexibly and can be supplemented by plugins with additional methods. Existing data from the plugin 2-factor authentication will be taken over when updating to WoltLab Suite 5.4 (many thanks at this point to Hanashi for the cooperation).

Based on user groups, the use of multi-factor authentication can be enforced to better protect especially sensitive user accounts (such as administrators or moderators).

Of course, multi-factor authentication is fully integrated into existing functionality. For example, the visibility of user notices can be made dependent on whether the user is using multifactor authentication.