Two factor authentication (2FA)

[rugk]

2FA is a big and great mechanism for improving the security of your account. As Liberapay is about money, it should really have this.

See https://www.turnon2fa.com/ for common explanations of what it is.

How I'd say it is good to do:

1. Support TOTP first. It works with many phone apps and with a lib it is relatively easy to implement.
2. Maybe support U2F ("web auth", YubiKey), i.e. USB keys as a second factor later. See https://webauthn.io/ for testing them.

What you can do:

• Recovery codes. Show them once when the mode is activated and urge users to write them down and store in a save place. Users can then login with one of them. If it is used, you should trigger special precautions, e.g. send a mail to the user or forcing them to reset their password and invalidate all other recovery codes.
• You can get on https://twofactorauth.org/, when you've implemented it.

What do do not need to care about:

• SMS 2FA. It is insecure and costs money.
• Some custom cool app for 2FA. There are standards to use and there is no need to develop yet another app.

What you must not do:

• Confuse 2FA with password-less login. 2FA is an additional authentication. It does not replace passwords.

[sebastiansterk]

• FIDO U2F
• Yubico OTP
• OATH-TOTP

Would be great.

[rugk]

Note that most YubiKeys also support U2F, so that would enough to support, is not it?
But anyway, TOTP should get first as it is easy and can be used by anyone.

[revi]

TOTP should be priority, I agree with that too. TOTP can be used without dedicated hardware, but FIDO, you need hardware keys (i.e. Yubikeys).

Most of the site with FIDO sets TOTP as a fallback, like GitHub and/or Facebook.

[gergelypolonkai]

I don’t think Yubico OTP is really needed. Most YubiKeys support U2F. Some statistics would be nice with the ratio of U2F enabled to all Yubikeys.

A side note on U2F: even Google Authenticator supports it on Android (it’s not hardware, per se, but it’s limited to platforms where Authenticator can run). Browser support is also limited as of now.

As a conclusion, I also vote for TOTP + backup codes (although I think U2F would also be a great addition.)

[Changaco]

Troy Hunt: Beyond Passwords: 2FA, U2F and Google Advanced Protection

[sliptonic]

I would like to see this as well. For me u2f/fido/fido2 should be priority. There are now open-source keys available.
I'm willing to buy someone a key (yubikey or solokey) if they'll implement.

[hydrargyrum]

Are there any news? For a site involving money, 2FA is a must-have. TOTP is basic yet is very effective and very well-supported.

[rugk]

Is this a django app? If so I can recommend https://github.com/xi/django-mfa3

[sebastiansterk]

It is very sad to see that for 2 years there has been no priority or awareness of how important account security is.

[mimi89999]

Would you prefer to have Webauthn as a second factor or as the only factor (but with user verification on device) as described in #2163?

[rhamzeh]

@mimi89999 I personally would prefer it as a second factor.

Not sure if requiring some thing like TwoOff(password, webauthn, 2fa) code is worth the trouble to give users the choice.

But for me, at this point at least I'm not sure I'd use WebAuthn as a replacement for passwords.

with User Verification on Device
On some devices, this is a simple as touching the device (e.g. YubiKeys) and does not provide the extra biometric validation.

[rugk]

You can implement both. The user can add it as a second factor as the only factor for login.

She e.g. how nextclpud has implemented it:
https://github.com/nextcloud/twofactor_webauthn

If you have to decide I would also prefer the safe version as 2FA IMHO. But that may just be my personal "taste"/preference.

[mimi89999]

@rhamzeh

On some devices, this is a simple as touching the device (e.g. YubiKeys) and does not provide the extra biometric validation.

It depends on the value of https://www.w3.org/TR/webauthn-2/#enum-userVerificationRequirement and whether the https://www.w3.org/TR/webauthn-2/#uv flag is verified.

[jozip]

Is this a django app? If so I can recommend https://github.com/xi/django-mfa3

Any word on whether or not this is a viable option? No, I took the time to actually read the README.

I've been trying to find something done for Pando, but nothing comes up. Should be possible to roll something competent using PyOTP.

[jozip]

I went ahead with this: #2195

[nehemiagurl]

TOTP + recovery codes is a must, otherwise anyone who saves a payment method is essentially one correct guess away from having their credit card abused.
U2F is very good to have, but if it's too much of a hassle then it's best to get TOTP out of the gate first and then U2F. But there should be some sort of 2FA as soon as possible.