Security: Implement Two Factor Authentication

[mariobehling]

What options exist for two factor authentication? As systems get hacked increasingly we also need to implement ways to keep open event secure.

Therefore please propose and implement two factor authentication. Research solutions and implement the best suited option according to feedback.

I found this Open Source system https://www.privacyidea.org that also provides SMS through Sipgate, but maybe we simply start by using Email as a 2FA authentication method first?

[HarryHuy]

I think you should provide at least two options, a phone based along with an email based verification in case users cannot access to their phone.

For the phone based method, using SMS might be less efficient than application in the Worldwide range.

I see that privacyIDEA supports TOTP protocol which is supported by very popular Google Authenticator and Microsoft Authenticator app.

Here is a TOTP implementation in Nodejs: https://github.com/speakeasyjs/speakeasy. Hope it can help!

[iamareebjamal]

I vote for TOTP as we are not/should not require mobile numbers. It is a hassle, SMS are not free and prone to other attacks and not that secure. Mobile numbers are rotated a lot, and thus pose another security threat.
TOTP is easy to implement, free and safe

Server is in python so we need a python solution https://github.com/pyauth/pyotp

[iswarmondal]

Hay is the backend written with nodeJS? Then I can take this issue.

[palakshivlani-11]

@mariobehling Can I work on this issue?