Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement token-based 2FA authentication #5163

Open
LiquidPL opened this issue Oct 23, 2019 · 9 comments
Open

Implement token-based 2FA authentication #5163

LiquidPL opened this issue Oct 23, 2019 · 9 comments
Labels
area:settings

Comments

@LiquidPL
Copy link
Contributor

Branching this off #2862, as it's now related to the client-specific stuff.

We should have an option for users to use a TOTP-based two-factor authentication method, in addition for the current, email-based one.
@peppy peppy added this to the Candidate Issues milestone Oct 24, 2019
@peppy peppy removed this from the Candidate Issues milestone Mar 2, 2020
@r1bnc
Copy link

r1bnc commented Jun 13, 2020

Any update on this? It is annoying to get the code via Email everytime. It woul d be easier to just implement 2FA using TOTP.

@peppy
Copy link
Sponsor Member

peppy commented Jun 21, 2020

There's no update, no. If there was an update it would be posted in this issue.

@alixdotsh
Copy link

Commenting about this...

Using a 2FA app like Authy would be a good option for others, it’s also more convenient to do. So if people are not getting codes via email they atleast have a second option to choose from, like a 2FAS app.

iirc it can still be the same codes we get through email (hybrid of numbers and letters) using Authy or any other app for 2FAS authentication.

@r1bnc
Copy link

r1bnc commented Dec 16, 2020

I'm not a fan of Authy, i just want to see the secret code in a qr code (or manual) then input that to something like Google Authenticator and use that code to generate Time based One Time Password (TOTP) that has 6 digits and 1 minute of expiry.
There are a lot of sample PHP projects with OTP functionality.

Honestly, logging in to my e-mail just to confirm my login is a PITA. If you are wondering, the email provider does permit IMAP/SMTP access, that is why it is a PITA. And no, I am not switching email.

@LiquidPL
Copy link
Contributor Author

LiquidPL commented Feb 4, 2021

I'd like to take a stab at implementing this. Is anyone working on it currently or is it free to take?

@peppy
Copy link
Sponsor Member

peppy commented Feb 5, 2021

has not been started yet; go for it!

@LiquidPL
Copy link
Contributor Author

LiquidPL commented Feb 5, 2021

Just to make sure, we want both a token prompt when logging in if you have 2fa/totp enabled like on other websites, and also for it to replace the email verification in other places we use it, right?

Also would like to know if we want to give people an option to fallback to email if they lose their authenticator, or not.

@peppy
Copy link
Sponsor Member

peppy commented Feb 6, 2021

I would have the fallback to email available for now, yes. We can decide to turn that off based on user feedback (or make it a toggle) in the future, but initial goals should be to improve convenience, not security (and support overhead after people lock themselves out).

@PureVannila

This comment has been minimized.

Sign in to view
@peppy peppy mentioned this issue Aug 31, 2023
Closed
@peppy peppy mentioned this issue Dec 20, 2023
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area:settings
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@peppy @LiquidPL @r1bnc @alixdotsh @PureVannila