RT::Extension::TOTPMFA

Current version: 0.10 (16 May 2025) [src]

This Request Tracker extension allows users to add multi-factor authentication to their account.

A secret token is stored for each user, and used for time-based one-time passcodes (TOTP).

To enable MFA, the "about me" page is extended with a new section alongside identity and password, for TOTP token management. In this section, the user may scan a QR code based on this token into their mobile device's TOTP-compatible app, such as FreeOTP+ or Google Authenticator. Or, they can enrol the key for their Yubikey device on this page instead.

When an account has MFA enabled, the RT login page works as usual, but the user is then prompted to enter a one-time passcode before they can proceed any further.

The MFA prompt will be repeated after a configurable duration, or when a new session begins.

If a user loses their MFA token, an administrator can switch off MFA in their account settings on their behalf, on the user basics modification page.

You can download the latest source code from here or from the linked pages.

This software is distributed under the terms of the GNU General Public License version 3 or later.

Request Tracker 5.0.0 or higher is required, along with the following Perl modules:

• Module::Install::RTx
• Authen::OATH (Debian package: libauthen-oath-perl)
• Convert::Base32 (Debian package: libconvert-base32-perl)
• Imager::QRCode (Debian package: libimager-qrcode-perl)
• Crypt::CBC (Debian package: libcrypt-cbc-perl)
• LWP::UserAgent (Debian package: libwww-perl)

Installation will typically require these steps:

curl -O https://ivarch.com/programs/sources/RT-Extension-TOTPMFA-0.10.tar.gz
tar xzf RT-Extension-TOTPMFA-0.10.tar.gz
cd RT-Extension-TOTPMFA-0.10
RTHOME=/usr/share/request-tracker5/lib perl Makefile.PL
make
sudo make install

Then, edit your RT site config file, such as /opt/rt5/etc/RT_SiteConfig.pm, and add these lines:

Set($TOTPMFA_Issuer, 'Request Tracker');
Set($TOTPMFA_Period, 30);
Set($TOTPMFA_Digits, 6);
Plugin('RT::Extension::TOTPMFA');

Finally, restart Request Tracker.

Please read the README file within the archive for more detailed installation and configuration instructions.

News

0.10 - 16 May 2025

• Allow QR code to be shown inline (elacour - PR #6).
• Localisation support added (elacour - PR #4).
• French translation added (elacour - PR #4).
• Fix bug when resetting secret (elacour - PR #7).
• Further packaging improvements (elacour - PR #3).

0.04 - 4 April 2025

• First full release.