The following options configure how fast Kirby's login brute-force protection gets activated and how long it takes until the triggered protection is disabled again.
You can set the number of wrong trials per timeout period (see below) before login gets blocked for the current IP address and user (since v3.2.3). The default setting is 10.
You can also set the timeout in seconds for the period of time against which the number of trials is counted. The default is 3600 (one hour). After the timeout is over, login for the current IP address and user is possible again.
auth.methods option controls the available login methods for the Panel and the API.
The available options are:
||Login with email and password (default)|
||Passwordless login with just the email address and a code|
||Password reset via a code|
You can read more about the options in the guide. The options can be combined like in the following examples.
All login methods except the default
password method need a working email transport configuration. Otherwise verification emails cannot be sent. Find out more about how to configure your email transport.
If you want to prevent login via password completely, you can set the login methods option to
code. The default login via password will be disabled.
You can also combine login via code and login via password. The
password-reset method is then no longer available.
The first method in the array will be the default login method.
To enable the password reset form, you can combine the default
password login method with the
To enable two-step/two-factor authentication for your logins, you can pass the
2fa option to the
password method in an array.
2fa mode will ask users for their email and password first and then send a verification email with an additional code that they have to enter afterwards to verify their login.
This is a two-step authentication as it relies on the password to the email account being secure. If you want even more security, you can use auth challenge plugins for challenges like TOTP, SMS or hardware tokens. The login flow is the same, but the additional login code then gets verified by the plugin.
Two-factor/two-step authentication is not compatible with the
password-reset options as logging in via just a code would circumvent the added
Once the user requests a login code or a password reset code, an authentication challenge is created. Kirby by default ships with an email challenge where the code is sent via email. Additional challenges can be added by auth challenge plugins.
The challenges can be configured with the following options:
The timeout controls how long a generated login code is valid. The default is 10 minutes.
You can customize the sender and the subject of the code emails:
If you want to customize the emails even more, take a look how to customize the email templates in the guide.
If multiple auth challenges are installed, you can define the priority of the challenges, i.e. which challenges are tried in which order:
A challenge will be skipped if it isn't available in general or for the user who tries to log in (e.g. a TOTP challenge needs a prior registration, an SMS challenge needs the mobile number etc.).
If none of the configured challenges is available, Kirby will "fake" the last configured challenge to avoid leaking security-relevant information (e.g. whether the user exists). In debug mode, there will be a clear error message instead.