mirror of
https://github.com/BookStackApp/BookStack.git
synced 2026-02-08 03:09:39 +03:00
MFA Option: Email based OTP #5169
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @emirhanuysall on GitHub (Feb 3, 2025).
Describe the feature you'd like
Currently, BookStack does not support OTP-based authentication for email logins.
We propose adding an optional OTP feature that integrates with existing MFA systems, allowing users to enter a one-time code sent via email during login.
This would enhance security while maintaining compatibility with BookStack's existing authentication flow.
Describe the benefits this would bring to existing BookStack users
Enhanced Security & Flexibility
-Improved Account Protection: Adds an extra layer of security by requiring a one-time password (OTP) during email login, reducing the risk of unauthorized access.
-Seamless MFA Integration: Allows users to enable OTP authentication without modifying BookStack’s core authentication system, making it easier to integrate with existing MFA setups.
-Better Compliance: Helps organizations meet security and compliance requirements by providing an additional authentication step.
-User-Friendly Authentication: Ensures a simple and effective way to enhance security without requiring external authentication providers.
Can the goal of this request already be achieved via other means?
No.
Have you searched for an existing open/closed issue?
How long have you been using BookStack?
1 to 5 years
Additional context
No response
@aliozgur commented on GitHub (Feb 6, 2025):
@ssddanbrown, @emirhanuysall is on my team, and this feature was developed based on a requirement.
To give you more context: we use BookStack for customer-specific documentation, and we have hundreds of customers and users who log in to BookStack with their corporate email addresses. Customer documents usually contain private details specific to the customer. When a BookStack user associated with a customer leaves, we want to cut off their access to our BookStack instance.
In practice, knowing which user has left a customer is not always possible, as our customers do not notify us in such situations. As a result, we thought the Email MFA option would be a valuable feature, as users who no longer have access to their corporate accounts would be unable to log in to BookStack.
We would appreciate it if this PR were merged.
@ssddanbrown commented on GitHub (Feb 6, 2025):
@aliozgur Thanks for offering development of the PR but as said in #5469 I'd want to see some proven demand/need. Need for a single scenario/business and provision of a PR are not really core reasons I'd consider for inclusion and growing the project scope.
But this alone would not really achieve that in BookStack, since there's nothing to force use of a specific MFA option. Users could just use another MFA option. This would really need to be also paired with controls to limit/control MFA options to achieve that. Generally speaking, that kind of scenario is better served by a company having proper centralised user management (so OIDC/SAML2/LDAP SSO).
@TorbenBusch commented on GitHub (Oct 10, 2025):
Hi @ssddanbrown, we have pretty the same use case as @aliozgur. We are a company writing customer specific documentation into Bookstack and provide access to our customers. They cannot or don't want to share any account information directly with us, so centralised user management is not feasible.
Therefore, it would be great to have email OTP sent to the customer's business email address, where he or she is locked out when he or she leaves that company.
As you mentioned, in order to work as wanted, a restriction in MFA options is required, so that email OTP is the only allowed option.