The road to a authenticator-based two-factor authentication

[scheb]

The bundle is supporting authenticator-based security since v5

(Shamelessly stealing the title from Wouter's symfony/symfony#39308)

I create this issue to let everyone know what the plan is with bundle's next major version and authenticator-based security.

The bundle is supporting authenticator-based security since 5.0.0. It's an experimental feature in Symfony, also the bundle's implementation has been experimental. I've continously adopted new features arriving with Symfony 5.x minor releases to make the authenticator intgeration better and cleaner. Because of that, if you want to use authenticator-base security with the current bundle version (at time of writing 5.7.0), it requires at least Symfony 5.2, with #61 that will be Symfony 5.3.

Symfony maintainers plan to remove the old security system and make authenticator-based security officially the new security system in Symfony 6, planned for November 2021. I plan to have the next major bundle version (also 6) to be released close to that. That version will be the one supporting Symfony 6, bundle version 5 will not support Symfony 6.

The goal for this upcoming major version is to have finally a clean implementation for two-factor authentication. I want to remove any kind of "hacks" the bundle does to make two-factor authentication work. These are mostly DIC hacks to decorate (internal) services from Symfony's security to inject some extra 2fa-bundle logic. Furthermore, since bundle version 6 is targeting Symfony 6, I'll remove support for the old security system. That allows me to remove a big chunk of code that's no longer needed. Also various compatibility layers for older Symfony versions can be removed.

---

Summary:

• Bundle version 6 releases close to Symfony 6
• That bundle version will target Symfony 6
• To support early testing, I'm likely going to release a v6-beta version of the bundle, which is supporting Symfony's respective beta and RC versions
• Bump up minimum supported PHP version to 8.0 (*) and adopt new language features (i.e. property types)
• Drop support for the old Symfony security system, only the authenticators-based system will be supported
• Symfony 5.4 will be supported as a migration path, but only authenticator security. If you try using Symfony 5.4 and the old security system, there will be an error
• Clean up code that is no longer needed and remove compatibility layers

* Symfony 6 will require PHP 8.0 (symfony/symfony#40389)

---

Todo:

• Remove classes related to old security system
• Remove Symfony compatibility layers for Symfony <= 5.4
• Remove non-authenticators config from integration tests and app readme
• Make sure the bundle errors when used on Symfony 5.4 with old security system
• Add passport to the authentication context
• Update build matrix (unit + integration test suite)
• Upgrade notes, mention switch to authenticator security
• Beta release: Allow Symfony beta-level releases (composer.json in repo root + sub-packages + app folder )
• Stable release: Only Symfony stable-level releases (composer.json in repo root + sub-packages + app folder)

[wouterj]

Just to let you know, we're working hard on removing all legacy code in 6.0 and are adding lots of minor to big deprecations in 5.4 for everything we've missed in 5.3. You can follow this process in symfony/symfony#41613 (including all PRs that referenced it).

Two important PRs I think for this package: In symfony/symfony#42050 , we deprecated unauthenticated tokens. I believe you use this currently to make sure 2FA is not detected as authenticated. In symfony/symfony#42510 , I introduce AuthenticationTrustResolver::isAuthenticated() to add an alternative way to say "this token is unauthenticated". Please let me know if this works for you, or if we need to add other features to support this bundle (feel free to reach out on Slack).

[wouterj]

Btw, "I plan to have the next major bundle version (also 6) to be released in sync with that.", if you also mean in sync on the release date, I would highly recommend to not do that, but at least wait one month. That'll give some more time to update things if we change something between the RC phase and the stable release, and it'll give the community some time to fix critical bugs in Symfony that weren't discovered before the stable release (and these bug fixes in turn might also affect this bundle).

[scheb]

Hi Wouter,
thanks for the heads-up 👍

Sounds like it's time to add a build against Symfony 5.4 and 6.0 branches, I'm curious how these will go. The isAuthenticated deprecation/removal shouldn't be a problem, since I'm not using the authenticated flag (TwoFactorToken is "authenticated" per default, otherwise Symfony wouldn't want to store it in the session).

And regarding the bundle release, I've rephrased that. I did not mean to litterally release "in sync". I just wanted to express that the bundle's major release will be around Symfony's. Though I'll let Symfony release some beta/RC first, before I'd consider to start publishing respective beta/RC versions of the bundle.

I'll see how things are going. If I'd discover anything add I'll reach out!

[scheb]

Update for everyone else: 2fa-bundle on Symfony 5.4 is almost fine. There is one breaking change that was introduced as the result of a refactoring, we need to see how to solve that.

[scheb]

^ This is has been solved in the meantime. 2fa-bundle 5.x on Symfony 5.4 is working fine.