user

Add tokens, such as a user ID, to text or URL paths of menu items. 

Be wary of this issue: Current-user:uid not correct

Set required fields more precisely.

How to verify it it's in use on any fields (so you can remove it if desired)

select * from config where data like "%required_by_role%";

install tfa and ga_login (TFA is just a framework, it doesn't come with it's own login plugins.)

Use this patch I wrote - it adds display of validation skip times and an admin reset button for users who are got locked out.

My installation instructions:

Next you need to generate an encryption profile.
First you need to generate a key - key type needs to be Encryption (not Authentication).
A 128bit key = 128/8 bytes = 16 characters - so generate a random 16 character string.

Set key provider to File rather than Configuration, this means the key won't end up in your version control.

Tick the 'strip trailing line breaks' box to avoid the "The selected key size does not match the actual size of the key." error

Key path should be relative to Drupal so the config will work on multiple sites
e.g. if you have created a file called /app/tfa.key on a lando container, set the key path to ../tfa.key
I'm actually creating mine in a keys directory.

Remember to save the key somewhere in your password manager, or your ansible variables, in case you lose the files later.
Remember to add /keys to your .gitignore file, so it won't get stored in version control.
Remember to copy it manually onto your production server.

In the TFA settings (/admin/config/people/tfa) you probably want to increase the number of times a user can skip validation.

Note that TFA has a separate 'Tfa user login' block (replacing the ordinary 'User login') 

Protect against brute-force login attacks. Unclear what's happening with porting of this.

Allows you to browse the site as another user (to see what they see) and then quickly switch back again.  A general Drupal recommendation is to create test accounts for each of your roles, so this is useful for testing them.  (As per notes, don't use it for anonymous access, just log out.)  Replacement for 'Switch User'.

Patch and known bug:

• Unmasquerade link appears for users with the permission: 'link to any page', regardless of masquerade status - patch #17 - the bug is as per #22 - Unmasquerade links aren't being shown correctly.