Expand readme

DieSchittigs · Jan 4, 2018 · 7ac58b5 · 7ac58b5
1 parent 258d37f
commit 7ac58b5
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@
 [![Packagist](https://img.shields.io/packagist/dt/dieschittigs/contao-tfa-bundle.svg?style=for-the-badge)](https://packagist.org/packages/dieschittigs/contao-tfa-bundle)
 [![license](https://img.shields.io/github/license/dieschittigs/contao-tfa-bundle.svg?style=for-the-badge)]()
 
-This Contao bundle enables Two-Factor Authentication (TFA/2FA) for backend users. Users with 2FA enabled are not allowed to visit any backend page after logging in, before typing in the correct access code.
+This Contao bundle enables Two-Factor Authentication (TFA/2FA) via [TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm) for backend users. Users with 2FA enabled are not allowed to visit any backend page after logging in, before typing in the correct access code.
 
 The bundle is compatible with **Contao 4.4** or newer.
 
@@ -20,5 +20,9 @@ Select _Packages > Install Packages_ and search for `contao-tfa-bundle`. The but
 ## Usage
 To enable Two-Factor-Authentication for your account, visit your backend profile and open the "_Two-Factor Authentication_" section. Scan the displayed QR code with a compatible app (we recommend **Google Authenticator**, which is available for iOS and Android), verify by typing in the code generated by your app and save.
 
+Since the generated code is time-based and thus changes periodically, it is important that your server time is set up correctly. By default the used library for code verification is able to correct for up to 30 seconds in either direction. This might be configurable in future versions of this bundle.
+
 ## Caveats
-This bundle intercepts all backend requests to display a two-factor-authentication page for users that have 2FA enabled, but haven't yet authenticated themselves. As such the users can still log in, but they can't access any backend pages.
+This bundle intercepts all backend requests to display a two-factor-authentication page for users that have 2FA enabled, but haven't yet authenticated themselves. As such the users can still log in, but they can't access any backend pages.
+
+If you plan to execute code on behalf of the user, make sure to take the two-factor status into account. Although the user can't visit any pages, he's still fully authenticated by the Symfony security layer, so you'll have to add extra checks to make sure two-factor authentication is completed.