Two-factor Authentication for RISE CRM

✨ Key Features

• TOTP (Google Authenticator-compatible): Users scan a QR code and generate 30-second rotating codes.
• Email OTP: One-time codes delivered to the account email for environments where TOTP is not feasible.
• Backup Recovery Codes: Printable one-use codes for emergency access.
• Trusted Devices: “Remember this device” with configurable expiration to reduce prompts.
• Role-Based Enforcement: Require 2FA for Admins/Staff while making it optional for Clients.
• Login Rate Limiting: Mitigates brute-force attempts on code entry.
• Time-drift Tolerance: Smart windowing for users with slightly misconfigured device clocks.
• Audit & Logs: Track enrollments, last successful 2FA challenges, and recovery-code usage.
• Brandable UI: Clean, responsive setup screens consistent with RISE’s look & feel.
• Privacy-aware: Secrets stored server-side with hashing/encoding; no analytics or telemetry.

⚙️ Technical Stack

• Platform: RISE CRM (PHP)
• Language/Framework: PHP 8.0+ (compatible with RISE’s add-on system; historically CodeIgniter-based)
• Database: MySQL 5.7+ / MariaDB 10.3+
• Crypto: HMAC (SHA-1/SHA-256) for TOTP, Base32 encoding
• Dependencies: mbstring, openssl PHP extensions (recommended)
• Mail Transport: Uses RISE CRM’s configured SMTP for email OTP

Server Requirements: Same as RISE CRM + TLS/HTTPS enabled; cron not required.

🧩 Installation Guide

1. Backup your RISE CRM files and database.
2. Upload the add-on folder to application/modules/ (or your RISE modules directory).
3. Sign in as Admin → Settings > Modules/Add-ons → Enable “Two-Factor Authentication”.
4. Configure policies: enforcement per role (Admin/Staff/Client), TOTP vs Email OTP, trusted-device lifetime, rate limits.
5. Email Settings: Ensure SMTP is working for OTP delivery and notification emails.
6. Test enrollment with a non-admin account: scan QR in Google Authenticator/Aegis/Authy, verify codes, generate backup codes.

📦 Deliverables

• ✅ RISE CRM 2FA Add-on source code
• ✅ Admin & user interfaces (enrollment, code challenge, backup codes)
• ✅ Installation & configuration documentation
• ✅ Example policy presets (strict/standard/lenient)
• ✅ GPL license file
• ✅ Changelog & README

📱 Supported Platforms

• RISE CRM Versions: Recent stable builds (v3.x+ recommended)
• Browsers: Chrome, Firefox, Edge, Safari (latest two versions)
• Authenticator Apps: Google Authenticator, Microsoft Authenticator, Authy, Aegis, 1Password, etc.

🧠 Notes

• License: Distributed under the GPL — you may study, modify, and redistribute.
• Customization Tips:
  • Change enforcement rules per group or per IP range (optional allowlist).
  • Adjust code lengths/time windows and “remember device” lifetime.
  • Brand enrollment pages (logo, palette) to match your CRM theme.
• SEO Assurance: Use terms such as “RISE CRM 2FA,” “Google Authenticator for RISE,” “email OTP for RISE CRM” in listing titles, headings, and FAQs to improve discoverability.

👨‍💻 Original Developer Credit

This package acknowledges the original developer and marketplace listing on
CodeCanyon. Preserving attribution recognizes the author’s expertise and provenance of the code.

🔒 Disclaimer

This is a GPL redistribution of an add-on for educational, review, and development purposes. We are not the original vendor and do not provide official support or warranty. All trademarks and product names (RISE CRM, Google Authenticator, Authy, etc.) belong to their respective owners. Verify compatibility with your specific RISE CRM version and test thoroughly in staging before production.