Caddy plugin that adds TOTP 2FA to enhance basic authentication

Hi Caddy community!

I’m happy to introduce BasicAuthTOTP, a new plugin for Caddy. This plugin extends Caddy’s existing basic_auth directive by incorporating Time-based One-Time Password (TOTP) two-factor authentication (2FA).

Overview:

BasicAuthTOTP requires users to input a valid TOTP code in addition to their basic auth credentials, adding an extra layer of security to protected routes. This makes it a suitable option for scenarios where basic auth alone may not be sufficient.

How It Works:

When accessing a protected route, users will first be prompted to enter their Basic Authentication credentials. After successfully completing Basic Authentication, they will see a 2FA prompt to enter their TOTP code, as shown below:

image

Use Cases:

This plugin is best suited for smaller, internal user groups and is useful for securing routes or applications that need an extra layer of security without requiring a comprehensive authentication solution.

:8080 {
    handle /top-secret/* {
        basicauth {
            user hashed_password
        }

        basic_auth_totp {
            session_inactivity_timeout 8h
            secrets_file_path /path/to/2fa-secrets.json
            cookie_name basicauthtotp_session
            cookie_path /top-secret
            logout_path /top-secret/logout
            logout_redirect_url /
        }

        respond "Welcome, you have passed basic and TOTP authentication!"
    }
}

I initially developed BasicAuthTOTP for personal projects, but it’s now a registered plugin, so others can try it out as well. I hope it proves useful!

1 Like

Have you considered using a more fully featured solution like Authelia with Caddy’s forward_auth?

1 Like

I have used Authentik and Caddy Security ( AuthCrunch, which I also mentioned in the Readme as Tip), but I was looking for something much simpler to configure and maintain - especially for just internal Users.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.