Hello Everyone
I'm using an archiving system (Laserfiche) and need to enable multi-factor authentication (MFA) for login, specifically through a service that sends a verification code via mobile SMS.
Is there a way to integrate the archiving system with an SMS-based verification service?
Question
Question
SMS MFA for Directory Server logins
Replies
Hello Abdulrheem,
Your options for MFA in Laserfiche depend on the type of user accounts and identity provider(s) (IDPs) you have (or will have).
Laserfiche Directory Server supports TOTP (authenticator app code) MFA for "Laserfiche" users. See Enabling Multi-Factor Authentication. As that doc page says, "You may still configure MFA for SAML and Active Directory (AD) users through your identity provider." There is no SMS MFA option in Laserfiche itself, as SMS MFA is widely considered less secure. We understand there may sometimes be older requirements to have it but we're not going to add native support for an insecure MFA method. Some external references for that:
- The Urgent Need to Replace SMS-based MFA | 1Password
- SMS Two-Factor Authentication – Worse Than Just a Good Password? | Okta Security
- SMS-Based Authentication: Why It’s No Longer Enough for Security - Authsignal
- Do you use SMS for two-factor authentication? Don't. - CNET
For SAML users, you may have an SMS MFA option from the SAML identity provider. In that case, the MFA happens during the SAML identity provider's authentication flow, entirely outside of Laserfiche.
For AD users, you can either:
- Use a 3rd party solution like Duo that enables MFA on AD logins (which happens outside of Laserfiche), or
- If AD users are sync'd to a SAML IDP like Microsoft Entra, Okta, etc., set up that SAML provider as a Linked Provider (see that section of Working with a SAML Identity Provider), and configure MFA on the SAML IDP as mentioned above.
Hope that information is helpful. I renamed the post title from "ask" to "SMS MFA for Directory Server logins" so it's more descriptive.
-Sam