MCAuthenticator is a Bukkit/BungeeCord API based plugin designed to allow for 2 Factor Authentication (otherwise known as TOTP, or the Time-Based One-Time Password Algorithm (RFC6238)) for all players on a server to optionally use, with configurable enforcement for certain players through permission nodes. This is designed to allow for more secure Minecraft server environments, especially when account cracking and hacking are so prevalent. This plugin reduces the risk of a compromised staff account greatly, making it much harder to compromise a staff account and compromise a server in general.
I believe that security components should be audit-able by a wide variety of people in order to get the most secure solution we can all collectively use. You may freely inspect and update the code as much as you want, as per the MIT License of this project. I encourage pull requests and feature requests! This project is located on Github.
To install MCAuthenticator, you simply put the `MCAuthenticator.jar` within the `plugins/` folder of your Bukkit/Spigot server. Once you start the server, the plugin will generate a configuration as described below.
MCAuthenticator uses 1 root command, /auth (with aliases /2fa,
/authenticator, and /mcauthenticator) with a set of sub commands:
- /auth enable [player] - Enables 2FA on an account, or your own account if a player isn't specified.
- /auth disable [player] - Disables 2FA on an account, or your own account if a player isn't specified.
- /auth reset [player] - Keeps 2FA enabled, but resets the 2FA on your account or another player's if player is specified.
- /auth reload - Reloads the configuration, then re-authenticates all players based on configured authentication rules.
- `mcauthenticator.use` (default: op) - Allows for the root use of the /auth command. In order to do anything with the /auth command, the player __must__ have this permission.
- `mcauthenticator.enable` (default: op) - Allows for the user to do /auth enable on themselves. This does not control whether the player is allowed to have 2FA enabled on their account; if console or a player with `mcauthenticator.enable.other` enables 2FA on their account, the plugin will let them.
- `mcauthenticator.disable` (default: op) - Allows for the user to do /auth disable on themselves.
- `mcauthenticator.enable.other` (default: console only) - Allows for the user to perform /auth enable <player>, enabling authentication for another player. The other player does not need to have `mcauthenticator.enable` in order to have 2FA enabled on their account.
- `mcauthenticator.disable.other` (default: console only) - Allows for the user to perform /auth disable <player>, disabling another player's authentication.
- `mcauthenticator.reset` (default: op) - Allows for a player to reset their own account's authentication.
- `mcauthenticator.reset.other` (default: console only) - Allows for the user to reset other user's authentications.
- `mcauthenticator.reload` (default: console only) - Allows for the user to reload the configuration
- `mcauthenticator.lock` (default: op) - Does one of 2 things: 1. Forces the user to always 2FA enabled, not allowing them to disable or reset their own authentication 2. Does not allow anyone but console to reset or disable their authentication. Even if the user has any of the `.other` permission nodes, the plugin will
__not__ allow them to perform any changes to authentication. This should be given to any staff members, as it will prevent any other compromised account from then chainly compromising other staff (or important persons) accounts.
Configuration is outlined on the plugin Github page in the Configuration section. It will probably change between updates, and the information in the plugin page could become outdated.
All other information about the plugin is listed on the configuration guide. Please post questions and other inquiries in the discussion section of this plugin. All bugs should go on the issue board of the plugin's Github project.
I want to give an extra special thanks to @aaomidi, who wrote the first version of this plugin, and allowed me to actively maintain it.
Free and comprehensive 2FA (TOTP) authentication for Bukkit servers/networks
I am getting an error:
Works as expected and does everything i need. For those having issues with "incorrect codes" keep in mind that your system time needs to be within 30 seconds of the actual time. So you'll need to install a ntp client, or keep your system time accurate another way in order to reliably use this plugin, just like ALL other TOTP auth plugins.
Having an issue with logging in, if I have the plugin installed and I enter my code generated from Google Authenticator, it says that the code is incorrect or that I am not authenticated.
Posting this here as someone in the issues page posted this exact same issue back in August.
Does NOT work AT ALL with AuthMe. Have spent hours on this issue now. When you join the server, MCA prevents you from typing /login until you authenticate, and AuthMe prevents you from doing /2fa until you login (even with /2fa added to the list of allowed commands before login). This is a HUGE bug that affects multiple servers.
Works perfectly! This plugin is a must have for any server owners who have had issues with accounts being hijacked, especially admin (OP) or privileged accounts! It's very simple to setup and use. I have no criticism for this plugin at all, only good things to say. :)