Add TOTP-based Multi-Factor Authentication (MFA) for local users

Global MFA toggle in Security settings, QR code setup on first login,
6-digit TOTP verification on subsequent logins. Azure AD users exempt.
Admins can reset user MFA. TOTP secrets encrypted at rest with Fernet.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-02-08 23:14:06 +01:00
parent 647630ff19
commit 3d28f13054
13 changed files with 615 additions and 62 deletions

View File

@@ -225,6 +225,29 @@
"cancel": "Cancel",
"createUser": "Create User"
},
"mfa": {
"title": "Multi-Factor Authentication (MFA)",
"enableMfa": "Enable MFA for all local users",
"mfaDescription": "When enabled, local users must verify with a TOTP authenticator app after entering their password. Azure AD users are not affected.",
"saveMfaSettings": "Save MFA Settings",
"yourTotpStatus": "Your TOTP Status",
"totpActive": "Active",
"totpNotSetUp": "Not set up",
"disableMyTotp": "Disable my TOTP",
"enterCode": "Enter your 6-digit authenticator code",
"verify": "Verify",
"backToLogin": "Back to login",
"scanQrCode": "Scan this QR code with your authenticator app",
"orEnterManually": "Or enter this key manually:",
"verifyAndActivate": "Verify & Activate",
"resetMfa": "Reset MFA",
"confirmResetMfa": "Reset MFA for '{username}'? They will need to set up their authenticator again on next login.",
"mfaResetSuccess": "MFA reset for '{username}'.",
"mfaDisabled": "Your TOTP has been disabled.",
"mfaSaved": "MFA settings saved.",
"invalidCode": "Invalid code. Please try again.",
"codeExpired": "Verification expired. Please log in again."
},
"common": {
"loading": "Loading...",
"back": "Back",