All configuration is done through the Configuration API.
_2fa\Extensions\Member.admins_can_disable-- Default false. If set to true, then the 2FA option appears in the Security section, which allows an admin to turn 2FA off, but not on. Only the Member can turn 2FA on._2fa\Extensions\Member.totp_window-- The number of tokens in the window users have to get a correct token. If this is 0, then only the current token is accepted. Note: this is the total size of the window, not the size either side of the current token. For example, the default value of 2 allows for users to specify the previous or the next tokens as well as the current one._2fa\Extensions\Member.validated_activation_modeWith this set to false (default), the user's secret/token gets regenerated upon each (re)activation of 2FA. Also, the QR code is available continuously (hidden only by a ToggleField). With this set to true, the token is fixed and only changes upon (manually) clicking the 'Regenerate token' button. In this validated_activation_mode, the QR is only shown once (in the activation process) and the user gets asked for a verification token upon activating 2FA. Only if the token is correct (=user has set up Authenticator correctly), 2FA will actually be activated. For deactivation, a user is instead asked to enter their password as an extra validation. This prevents users from locking themselves out of their account and is based on the same flow Google uses for 2FA activation & deactivation.
_2fa\Extensions\Member:
totp_window: 2
validated_activation_mode: trueDue to the way SilverStripe handles re-authentication (expired sessions), it does not include at present the option to reauthenticate using two factor authentication tokens. To ensure the security of of the user, this module disables re-authentication instead opting to ensure the user logs back into the CMS securely.
