2FA+ | Staff Authentication 2.4.17

Simple 2FA plugin for your Minecraft server.

  1. egg82
    Native Minecraft Version:
    Tested Minecraft Versions:
    • 1.8
    • 1.9
    • 1.10
    • 1.11
    • 1.12
    • 1.13
    • 1.14
    Source Code:

    Works with AuthMe(Reloaded)
    Can Replace AuthMe(Reloaded), MineSecure, 2FA, Minecraft Authenticator, etc!

    The first time 2FA+ is run it will take some time to start up. this is normal, and will very rarely (if ever) take that long again.


    2FA+ WILL require some setup in order to work properly. It will likely kick you out of your own server the first time you load it. Please read the wiki for installation and configuration instructions.

    Code (Text):
    # How the plugin stores long-term data
      # The storage method
      # Options:
      # - MySQL (remote)
      # - SQLite (local)
      method: 'sqlite'

        # Address and port of the remote database (if applicable)
        address: ''
        # The name of the database 2FA+ will store data in
        # If you're using remote options, this must be created beforehand
        database: '2faplus'
        # Table prefix for all 2FA+ tables
        prefix: '2faplus_'
        # Database credentials (if applicable)
        username: ''
        password: ''
        # Whether or not to use SSL
        ssl: false

        # MongoDB options- obviously don't need to worry about these if not using MongoDB ;)
          # Connection prefix for all 2FA+ connections
          collection-prefix: ''
          # MongoDB ClientConnectionURI
          connection-uri: ''

        # The maximum size of the database connection pool
        # Determines the max number of connections to the database
        max-pool-size: 2
        # The minimum size of the satabase connection pool
        # Determines the min number of connections kept alive to the database
        min-idle: 2
        # The maximum lifetime of a connection in the pool
        # Should be at least 30 seconds less than any database or infrastructure-imposed connection time limit
        max-lifetime: 1800000 # 30 minutes
        # The maximum number of milliseconds that the plugin will wait for a new connection from the pool before timing out
        timeout: 5000 # 5 seconds

        # Extra connection properties
          unicode: true
          encoding: 'utf8'

    # Redis is a very fast cache accessible by multiple servers
    # If you don't want to constantly hit your database for queries, try enabling and configuring this
    # You will need to install the (external) Redis server software if you haven't already
    # https://redis.io/
      enabled: false
      # Address and port of the remote Redis server
      address: ''
      # Redis credentials
      password: ''

    # RabbitMQ is a messaging queue that will allow the plugin to push instant updates across multiple servers
    # You will need to install the (external) RabbitMQ server software if you haven't already
    # https://www.rabbitmq.com/
      enabled: false
      # Address and port of the remote RabbitMQ server
      address: ''
      # RabbitMQ credentials
      username: 'guest'
      password: 'guest'

    # When true, logs some extra output to the console so you can see if/why things might be failing
    debug: false

    # Authy is used as one of the available 2FA services.
    # You may get an API key at the link below.
    # https://www.twilio.com/docs/authy/twilioauth-sdk/quickstart/obtain-authy-api-key
      # Authy API key. Required.
      key: ''

    # OTP (used for TOTP and HOTP) is used as one of the available 2FA services.
    # This can be used with any service that takes a QR code
    # eg. Google Authenticator, LastPass, or Microsoft Authenticator
      # The number of digits to generate
      digits: 6
      # The business/organization name that shows up on the 2FA app when scanning the QR code
      issuer: '2FAPlus'

      # When a player successfully authenticates, their UUID and IP is stored in a database
      # This IP is kept in the database for the below amount of time before being removed
      # While this IP is in the database, any time they log in from the IP they will not need to re-authenticate
      ip-lifetime: '30days'
      # 2FAPlus can protect specific commands from being run without first authenticating
      # Since this can get pretty annoying pretty quickly, the plugin sets a timer on the first successful 2FA attempt
      # While this timer is active, 2FA is not required for future verification attempts unless otherwise stated and/or explicitly called via the API
      # The timer resets every time a 2FA verification is required
      # 2FA verification is most commonly triggered by the commands below, but can also be triggered via the API
      verification-lifetime: '3minutes'
      # Commands to protect with 2FA
      - 'op'
      - 'deop'
      - 'lp'
      - 'luckperms'
      - 'perms'
      - 'permissions'
      - 'perm'
      - 'pex'
      - 'gm'
      - 'groupmanager'
      - '2faplus'
      - 'tfaplus'
      - '2fa'
      - 'tfa'
      # Whether or not to completely deny players who don't have 2FA set up
      # True: Players without a 2FA account registered will be kicked with a message
      # False: Players without a 2FA account registered will be allowed in by default
      force-auth: true
      # The kick message to display to players who don't have 2FA set up
      no-auth-kick-message: '&cPlease set up 2FA with your admin team before logging in!'
      # The maximum number of attempts that can be made before kicking the player with a message
      # 0 or less to disable
      max-attempts: 3
      # The kick message to display to players who have tried (and failed) to authenticate too many times
      # If left blank, will not kick the player
      too-many-attempts-kick-message: '&cYou have attempted 2FA too many times!'
      # The command that CONSOLE will run for players who have tried (and failed) to authenticate too many times
      # Use %player% as a placeholder for the player's (real) name
      # Use %uuid% as a placeholder for the player's uuid
      # If left blank, will not run anything
      too-many-attempts-command: ''
      # How players are frozen while they are waiting for authentication
        # Stop non-authenticated players from running commands
        command: true
        # Stop non-authenticated players from talking in chat
        chat: true
        # Stop non-authenticated players from interacting with other players/entities/blocks
        interact: true
        # Stop non-authenticated players from hitting other players/entities
        attack: true
        # Stop non-authenticated players from moving stuff around in inventories
        inventory: true
        # Stop non-authenticated players from dropping/picking up items
        drops: true
        # Stop non-authenticated players from breaking/placing blocks
        blocks: true
        # Stop non-authenticated players from moving/teleporting (falling is allowed)
        move: true

    # A list of player UUIDs and/or IPs that bypass 2FA
    # WARNING: Adding to this list will SIGNIFICANTLY decrease security, since anyone connecting from these IPs (or with these UUIDs) will completely bypass the system
    # Seriously, think long and hard before using this list
    # By using this plugin, you are trading some convenience for security. By trading some of that back all you've done is gained the worst of both worlds
    - ''
    - 'localhost'
    - '::1'
    #- '069a79f4-44e9-4726-a5be-fca90e38aaf5' #Notch

      # Whether or not to send anonymous usage statistics to bStats
      # True: Send anonymous stats; let the author know how well the plugin is doing and how it's used!
      # False: Do not send stats and make the author sad :(
      usage: true
      # Whether or not to send anonymous errors to the author
      # True: Send errors anonymously to Rollbar and/or GameAnalytics so the author can fix them!
      # False: Do not send errors and wonder why any bugs you encounter haven't been fixed
      errors: true

      # Whether or not to automatically check for updates and notify the console if found
      check: true
      # Whether or not to notify players with the 2faplus.admin permission node
      notify: true

    # Config version, no touchy plz
    version: 1.4
    /2faplus reload - Reloads the plugin.
    /2faplus register authy - Registers a player in the Authy 2FA system. Valid country codes can be found at https://countrycode.org/
    /2faplus register totp - Registers a player in the TOTP 2FA system. For Google, Microsoft, LastPass, etc.
    /2faplus register hotp - Registers a player in the HOTP 2FA system. For YubiKey, NitroKey, etc.
    /2faplus remove - Removes a player in the 2FA system.
    /2faplus check - Checks the player's registration status in the 2FA system.
    /hotp seek - Re-synchronizes your HOTP counter using the next few HOTP codes provided by your client.

    2faplus.use - gives access to register, remove, and check commands
    2faplus.admin - gives access to reload command and notifies of updates. Also allows usage of register, remove, and check commands on other players if 2faplus.use is also granted
    2faplus.check - players with this node will be checked by the default 2FA system on login. Protected commands are always checked and require the player to have 2FA regardless of this permission node

    Please consider donating to support this free plugin!

    According to the GDPR, you must specify that you are storing IP information to your players in a privacy policy when using this plugin (actually you need that if you're running a vanilla server without this plugin because of server logs). Depending on how data provided from this API is used, you may be required to manually remove some data from the databases.
    Disclaimer: I am a plugin developer, not a lawyer. This information is provided as a "best guess" and is not legal advice.

    API documentation can be found on the wiki here.

Recent Reviews

  1. itsWarHammer
    Version: 2.4.17
    Issue with MySQL was reported Jul 31 2019, it still has not been fixed. the plugin works well using SQLite but that is not practical for me. Fix this and I will remove my review and give you the full 5 stars that you deserve!
  2. T_nology
    Version: 2.4.17
    This plugin does not work and is completely broken. When I attempt to register my account for 2FA, it just says my UUID is too long in the MySQL database somehow? I followed the guide from the Wiki and it still didn't work. This plugin also hasn't been updated in over a year. I hope it gets fixed soon.
  3. Adam_YT101
    Version: 2.4.17
    Not working:

    [10:37:33 ERROR]: [2FA+] {m.e.t.c.i.RegisterTOTPCommand} Could not load player data from Mojang (rate-limited?)
    java.io.IOException: Could not load player data from Mojang (rate-limited?)
    at me.egg82.tfaplus.services.lookup.BukkitPlayerInfo.uuidExpensive(BukkitPlayerInfo.java:140)
    at me.egg82.tfaplus.services.lookup.BukkitPlayerInfo.<init>(BukkitPlayerInfo.java:56)
    at me.egg82.tfaplus.services.lookup.PlayerLookup.get(PlayerLookup.java:32)
    at me.egg82.tfaplus.commands.internal.RegisterTOTPCommand.getUuid(RegisterTOTPCommand.java:111)
    at me.egg82.tfaplus.commands.internal.RegisterTOTPCommand.lambda$run$0(RegisterTOTPCommand.java:52)
    at co.aikar.taskchain.TaskChain$TaskHolder.run(TaskChain.java:1309)
    at co.aikar.taskchain.TaskChain$TaskHolder.access$100(TaskChain.java:1266)
    at co.aikar.taskchain.TaskChain.lambda$nextTask$18(TaskChain.java:1187)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)
    [10:37:33 INFO]: [2FA+] Could not get UUID for DarkBoy2005 (rate-limited?)
  4. opti8145
    Version: 2.4.17
    Nice plugin. Awesome secure.
    But can't change language in lang_en.
  5. 151515
    Version: 2.4.17
    How to implement this on BungeeCord?
    How to implement this on BungeeCord?
  6. U-ENERGYoff
    Version: 2.4.17
    Is this plugin for staff only? Can I use it for normal authentication of players, something like:
    First, players on the Auth server enter the password for AuthMe, then the code for 2FA + and only after they are thrown into the lobby. Is such a scheme possible?
  7. U-ENERGYoff
    Version: 2.3.15
    Wonderful plugin, but did not find the opportunity to translate it into my native language (Russian). Typically, plug-ins create a text file, such as "messages.yml", or you can find it inside the .jar of plugin, but I still do not understand how to translate 2FA+. Is your plugin targeted only at English-speaking users?
    1. egg82
      Author's Response
      The "too-many-attempts-kick-message" in the config.yml is able to be translated, but I have not (yet) made other messages translate-able. This shouldn't be a difficult request to fill, however. I will note it for a future release :)

      Thanks for the review!
  8. DictatorAlideen
    Version: 2.2.9
    Excellent plugin for all matters of Staff protection the author is a good man who takes pride, time and value in his work
    The reply below is a load of rubbish and they clearly have no idea how to run a server ^-^
    1. egg82
      Author's Response
      Thanks for the review! This last update was murder.
  9. LiquidMc
    Version: 1.2.6
    to confusing and very hard to setup once set up its a ok plugin until ur auth code changes on the twilio.
    1. egg82
      Author's Response
      Hmm, fair- the initial configuration file generally has reasonable defaults with the exception of the Authy code itself, but it could certainly be a more simplified process. Twilio auth codes shouldn't ever change, so that is very odd. Otherwise, you could try using the standard TOTP built into the plugin if you wish. 2FA is hard, so it's difficult to make it easy. I'll keep trying, though!