I’m requesting the option (or a callable function for manual programming) to use the second authentication factor (Google authenticator, email or sms) as a way to protect some actions. That could be a very ‘nice to have’ for custom actions, and maybe in some cases for adding, editing or deleting records.
Also (or alternatively), could something like that be implemented for the PhpMaker’s Microsoft Entra ID single sign-on SAML implementation?
It would be a big plus if a user (with 2fa enabled) could be forced to get a 2fa verification prompt before executing a custom action - like a home banking site asks for verification before executing a transfer or payment, even though the user is already logged in.
Can this be achieved in version 2026?
Both the email/sms service has the following two methods:
public function sendOneTimePassword(string $user, #[\SensitiveParameter] ?string $account = null): bool|string
and
// Returns ["success" => true] or ["success" => false]
public function verify(string $user, ?string $code): array
You can send one time password before your custom action and verify the user input. Since action is “custom”, you do need to write code.