v4.1.0

This new version introduces a very common feature in the world of 2FA apps, the automatic generation and display of passwords.

Since the very beginning, 2FAuth offers an Open, Click & Get one password behavior, this is one of the main reasons why I created it. But this can be very troublesome or frustrating for users migrating from other 2FA apps as almost all of them work with an Open & Get passwords behavior, which is much more straightforward.

So this is now only a user choice as 2FAuth offers both behaviors via a user preference. Obvisouly, the Open, Click & Get one password behavior remains the default one.

Added

• A user preference to generate and show 2FA passwords on the main view without user interaction (#153)
• An administrator setting to disable user registration (#170)
• A 2fauth:install Artisan command to ease both initial and upgrade installation.
• A spinner, during 2FA password loading - By @josh-gaby.

Changed

• Aegis migrations with empty name properties are no longer rejected. The issuer property is then used as a fallback value.
• The Docker image now embed the MySQL/MariaDB PHP extension, so it may be ready to work with.

Fixed

• issue #180 OTP does not rotate while Close after copy and Copy on display is activated - By @josh-gaby
• issue #194 Container keeps trying to make connection to 172.67.161.186
• issue #134, #143, #147 Issue with some Microsoft 2FA
• issue #196 ERROR The [public/storage] link already exists

v4.0.3

Security release

• Fix possible SQL injection in validation rule (thx @YouGina)
• Fix various possible XSS injections (thx @quirinziessler)

v4.0.2

Fixed

• issue #176 Lost keys when upgrading to 4.x whilst using proxy header authentication

v4.0.1

Fixed

• issue #174 PHP Fatal error after latest Update

v4.0.0

Time for multi-user has arrived, here comes v4.0!

This is a first step mainly dedicated to internal changes, so the feature has been integrated gently. For now, almost nothing has changed around user management, except that registrations are opened to new users and some options are only available to the administrator.

This version also comes with nice additions. A light theme, an export feature or the support of custom base url just to name a few.

⚠️ This release drops PHP 8.0 support ⚠️

Added

• An Export feature (accessible via the Manage view) that lets you download your 2FA data in a JSON migration file
• The Import feature accepts the 2FAuth JSON file generated by the Export feature
• Support of custom base URL. You can now install 2FAuth in a domain sub-directory, e.g https://mydomain/2fauth/ (see Docs)
• ctrl+F keyboard shortcut to focus on Search on the main view
• A light theme
• IP addresses of failed login attempts are now logged

Changed

⚠️ 2FAuth uses a new component to operate the WebAuthn authentication that cannot use existing registrations of your security devices. As a consequence, all your security devices will be revoked and the "Use Webauthn only" option will be disabled during the upgrade to avoid any issue and/or lockout. You will have to sign in using your email and password to re-register you security devices.

• The Manage view layout has been rearranged: The search bar remains and the action buttons now stand in the page footer
• Password formatting is now a user option available with 3 formats: Grouping digits by pair, by trio or by half
• Failed login throttling and API calls throttling can be configured in the .env file
• Logs give more information
• Upgrade to Laravel 9.0

Removed

• The ability to set a Secret in a plain text format (in the advanced form). This was confusing and without any benefit.

Fixed

• issue #166 Unable to register Nitrokey

v4.0.0-beta.1

Warnings

This is a pre-release of v4.0.0 which introduces a deep change, multi-user support. You should consider it for testing purpose only.

⚠️ Make a backup of your database first or try it with fake data ⚠️
⚠️ This release drops PHP 8.0 support ⚠️

---

Time for multi-user has arrived, here comes v4.0!

This is a first step mainly dedicated to internal changes, so the feature has been integrated gently. For now, almost nothing has changed around user management, except that registrations are opened to new users and some options are only available to the administrator.

This version also comes with nice additions. A light theme, an export feature or the support of custom base url just to name a few.

Added

• An Export feature (accessible via the Manage view) that lets you download your 2FA data in a JSON migration file
• The Import feature accepts the 2FAuth JSON file generated by the Export feature
• Support of custom base URL. You can now install 2FAuth in a domain sub-directory, e.g https://mydomain/2fauth/
• ctrl+F keyboard shortcut to focus on Search on the main view
• A light theme
• IP addresses of failed login attempts are now logged

Changed

⚠️ 2FAuth uses a new component to operate the WebAuthn authentication that cannot use existing registrations of your security devices. As a consequence, all your security devices will be revoked and the "Use Webauthn only" option will be disabled during the upgrade to avoid any issue and/or lockout. You will have to sign in using your email and password to re-register you security devices.

• The Manage view layout has been rearranged: The search bar remains and the action buttons now stand in the page footer
• Password formatting is now a user option available with 3 formats: Grouping digits by pair, by trio or by half
• Failed login throttling and API calls throttling can be configured in the .env file
• Logs give more information
• Upgrade to Laravel 9.0

Removed

• The ability to set a Secret in a plain text format (in the advanced form). This was confusing and without any benefit.

Fixed

• issue #166 Unable to register Nitrokey

v3.4.2

Fixed

• issue #160 Steam otpauth URI from Aegis are rejected by the Import feature

v3.4.1

Fixed

• issue #140 Bad regex for Period field (advanced form)
• issue #141 Digits field is missing in advanced form

v3.4.0

This release is a big step towards more accessibility. Keyboard navigation is now fully supported, with clean and consistent focus, and several UI components have received relevant ARIA properties to support assistive technologies.

It also provides a rewritten Import feature that supports new export formats (Aegis and 2FAS Authenticators) and more to come.

⚠️ This release should be the last that supports PHP 8.0

Added

• An option to check for new release on Github (#127)
• An option to automatically copy One-Time Passwords when they are displayed (#125)
• Aegis and 2FAS export formats are now supported by the Import feature (#128)
• (Partial) Spanish and Chinese (simplified) localizations

Changed

• Password fields can reveal the password and inform about the password strength (#124)

Fixed

• issue #126 HOTP counters are not updated after OTP generation
• Autolock setup ignored when session lifetime was shorter, causing CSRF token mismatch errors

---

Full Changelog: v3.3.3...v3.4.0

v3.3.3

Fixed

• issue #110 Can't sign in with login/password after the removal of the last webauthn device
• issue #111 Inappropriate notification about existing user during registration
• issue #113 Password reset does not work
• issue #115 WEBAUTHN_NAME .env variable set as null generates server error