2FA Options

[ShaneMcC]

2FA workflow sucks a bit.

I dislike having to pick up the phone, open authy, find the right app, then type the code. (Not a unique problem!)

It would be nice to support some other options:

• U2F
  • I have no compatible devices, and have no idea how this works
• Yubikey
  • Should be easy enough to add as it's still a "type a code, check it matches" option
• Push Auth
  • Authy, DuoSecurity etc. This is a bit more work. We'd want to have the login page wait for the authentication to reply yay/nay and offer the option of just giving a code instead if possible.
• Backup single-use codes.
• Something else?

[ShaneMcC]

We can now do single-use codes.

Will look at Yubikey at some point.

For push-based services I'm thinking that we can do something like:

When we reject an authentication request that requires 2fa, if there is a push-based method added to the account we can return a "supports push" header of some kind.

The calling party (the frontend) can then call a /pushAuth endpoint. That endpoint then triggers the push and waits (long-polling) for a period of time for the push to be approved.

If the push is approved generate a one-time-use temporary internal twofactorkey with a short expiry time and return the code to the user, they can then pass this through as the 2fa key for login.

The temporary internal key can then be removed automatically after being used.

This requires minimal changes to the auth flow then.

[ShaneMcC]

Yubikey OTPs:

92afdaf
mydnshost/mydnshost-frontend@348d897

[ShaneMcC]

More Authy Commits:

mydnshost/mydnshost-frontend@838b2aa
9c3e8cf

Probably not going to enable this any time soon, but the ground work is at least there for doing 2fapush stuff if I find something a bit less awful.