E-Mail as Second Factor
=======================

This plugin adds the user's e-mail account as a second authentication
factor.

After logging in through another authentication module, a one-time code
will be generated by the portal and sent to the user's e-mail address.
The user will be prompted for this code in order to finish the login
process.


.. attention::

    This plugin will only improve security in situations
    where the user's email is not protected by the same password used to
    login on LemonLDAP::NG. And of course, if the user's email account is
    also protected by LemonLDAP::NG, they will not be able to open their
    mailbox to find out their one-time code.

Configuration
~~~~~~~~~~~~~

Before configuring this module, make sure the user's email address is
correctly fetched from your UserDB plugin and appears in the session
browser. If you want to store the user e-mail in a different session
field than ``mail``, go to "General Parameters » Advanced parameters »
SMTP" and set the "Session key containing mail address" parameter.

All parameters are configured in "General Parameters » Second factors »
Mail second factor".

-  **Activation**: Set to ``On`` to activate this module. If a user does
   not have an email address, they will encounter an error on login. If
   you want to use this plugin only for users who have an email address,
   use ``$mail`` (or whatever your e-mail session key is) as the
   activation rule.
-  **Code regex**: The regular expression used to generate one-time
   codes. The default is a 6-digit code.
-  **Code timeout**: It might take a while for users to open their
   e-mail account and find the code. Raise this timeout if the default
   (2 minutes) isn't enough.
-  **Mail subject**: The subject of the email the user will receive. If
   you leave it blank, it will be looked up in translation files.
-  **Mail body**: The plain text content of the email the user will
   receive. If you leave it blank, the ``mail_2fcode`` HTML template
   will be used. The one-time code is stored in the ``$code`` variable
-  **Authentication level** (Optional): if you want to overwrite the
   value sent by your authentication module, you can define here the new
   authentication level. Example: 5
-  **Logo** (Optional): logo file *(in static/<skin> directory)*
-  **Label** (Optional): label that should be displayed to the user on
   the choice screen
