Skip to content

[WIP] MSC2271 TOTP 2FA login#2271

Closed
ara4n wants to merge 3 commits intoold_masterfrom
msc2271
Closed

[WIP] MSC2271 TOTP 2FA login#2271
ara4n wants to merge 3 commits intoold_masterfrom
msc2271

Conversation

@ara4n
Copy link
Member

@ara4n ara4n commented Aug 31, 2019
edited by turt2live
Loading

High level proposal for TOTP 2FA auth from @hawkowl

Rendered

SCT Stuff:

FCP closure tickyboxes

No MSC checklist

@ara4n ara4n added the proposal A matrix spec change proposal label Aug 31, 2019
@ptman
Copy link
Contributor

ptman commented Sep 30, 2019

Excellent. But a separate proposal for U2F/WebAuthn?

ptman
ptman reviewed Sep 30, 2019
View reviewed changes
proposals/2271-totp-2fa.md
Returns: `{"totp_key": "keyhere", "backup_keys": ["a", "b", "c"]}`

`DELETE /_matrix/client/r0/user/{user_id}/totp`
Remove TOTP from the account. Require password as a parameter (?)
Copy link
Contributor

@ptman ptman Sep 30, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Password and TOTP, I think.

Copy link
Contributor

@auscompgeek auscompgeek Sep 30, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other services I've seen allow you to remove 2FA tokens without having to auth the 2FA (only requiring password for confirmation). Of course you do need to be logged in already.

Copy link
Contributor

@ptman ptman Sep 30, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I've had the opposite experience, but can't name a service off-hand

Copy link
Contributor

@deepbluev7 deepbluev7 Feb 20, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this endpoint should just require user interactive auth, like other security sensitive endpoints do. The server could then decide, if you need to provide the password, password+totp token, password+totp recovery key, or any other combination, just like the usual flows.

@turt2live turt2live added the kind:core MSC which is critical to the protocol's success label Apr 20, 2020
@turt2live turt2live marked this pull request as draft April 8, 2021 23:36
@turt2live turt2live added the needs-implementation This MSC does not have a qualifying implementation for the SCT to review. The MSC cannot enter FCP. label Jun 8, 2021
@clokep
Copy link
Member

clokep commented Jul 9, 2025

With the adoption of OAuth 2.0 based authentication API (MSC3861) I don't think the SCT will plan to further improve the Matrix-specific authentication APIs. With that in mind I'm going to put this up for closure. If the author wishes to close this they can do so directly at any point.

@mscbot fcp close

@mscbot
Copy link
Collaborator

mscbot commented Jul 9, 2025
edited by ara4n
Loading

Team member @clokep has proposed to close this. The next step is review by the rest of the tagged people:

Once at least 75% of reviewers approve (and there are no outstanding concerns), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up!

See this document for information about what commands tagged team members can give me.

@mscbot mscbot added proposed-final-comment-period Currently awaiting signoff of a majority of team members in order to enter the final comment period. disposition-close labels Jul 9, 2025
@github-project-automation github-project-automation bot moved this to Tracking for review in Spec Core Team Workflow Jul 9, 2025
@turt2live turt2live moved this from Tracking for review to Ready for FCP ticks in Spec Core Team Workflow Jul 9, 2025
@mscbot
Copy link
Collaborator

mscbot commented Aug 12, 2025

🔔 This is now entering its final comment period, as per the review above. 🔔

@mscbot mscbot added final-comment-period This MSC has entered a final comment period in interest to approval, postpone, or delete in 5 days. and removed proposed-final-comment-period Currently awaiting signoff of a majority of team members in order to enter the final comment period. labels Aug 12, 2025
@turt2live turt2live moved this from Ready for FCP ticks to In FCP in Spec Core Team Workflow Aug 12, 2025
noelportillo
noelportillo reviewed Aug 14, 2025
View reviewed changes
Copy link

@noelportillo noelportillo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok is going to good

@mscbot
Copy link
Collaborator

mscbot commented Aug 17, 2025

The final comment period, with a disposition to close, as per the review above, is now complete.

@mscbot mscbot closed this Aug 17, 2025
@mscbot mscbot added finished-final-comment-period and removed disposition-close final-comment-period This MSC has entered a final comment period in interest to approval, postpone, or delete in 5 days. labels Aug 17, 2025
@turt2live turt2live moved this from In FCP to Merged in Spec Core Team Workflow Aug 18, 2025
@tulir tulir added rejected A proposal which has been rejected for inclusion in the spec and removed finished-final-comment-period labels Sep 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

4 more reviewers

@ptman ptman ptman left review comments

@auscompgeek auscompgeek auscompgeek left review comments

@deepbluev7 deepbluev7 deepbluev7 left review comments

@noelportillo noelportillo noelportillo left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

kind:core MSC which is critical to the protocol's success needs-implementation This MSC does not have a qualifying implementation for the SCT to review. The MSC cannot enter FCP. proposal A matrix spec change proposal rejected A proposal which has been rejected for inclusion in the spec

Projects

Spec Core Team Workflow
Status: Merged/Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

9 participants

@ara4n @ptman @clokep @mscbot @auscompgeek @deepbluev7 @noelportillo @turt2live @tulir