search

AsteriskLabs / devise_google_authenticator

A Devise extension to allow your app to utilise Google's 2FA Mobile app
http://labs.asteriskinfosec.com.au/tag/devise_google_authenticator/
MIT License
216 stars 156 forks source link

Support for other 2 factor apps #17

Open ghost opened 10 years ago

ghost commented 10 years ago

Hey! Will this gem run well alongside of https://github.com/Houdini/two_factor_authentication ? <- Is a really good gem and I would love it if I could use this in conjunction of that.

xntrik commented 10 years ago

Hi @nahtnam - I haven't investigated this.. I'll try to get an opportunity to do this soon.

ghost commented 10 years ago

@xntrik That would be awesome! Thanks! :)

xntrik commented 9 years ago

I'd like to do Yubikey too, like Issue #5

eimermusic commented 9 years ago

@xntrik are you interesting in something like a "plugin system" where TOTP codes, YubiKey, and possibly SMS could be added and enabled somewhat dynamically? Plugin might be the wrong work. The point being that an app developer could choose to expose one or more of a set of supported code types.

My, now old and messy, fork simply added a branching "verify" method that statically tried TOTP and YubiKey in sequence. Re-implementing that in a more separated and dynamic way would not be terribly hard. I will have to re-implement something equivalent soon and would like to do that in a way that is blessed and maybe even supported by this gem.

https://github.com/eimermusic/devise_otp_authenticator/blob/master/lib/devise_otp_authenticatable/models/otp_authenticatable.rb#L27-L37

The good thing is that TOTP and YubiKey have distinctly different codes making it easy to detect which kind of code you are using. Adding a few other "plugins" and that might fall down if several of them are 6 digits for example.

The activation and setup of each type of code has less magic. You really need a separate activation flow for each type.

TOTP activation involves 2 steps. Showing the QR code and verifying with a code. YubiKey can be single-step. Focus a form field and press the button on the YubiKey and I get both the token id and can verify any subsequent presses are from the same token and are authentic.

As a side-note. I personally never implemented SMS as a primary factor. Since there is a per-SMS cost we wanted to see if any customer would ask for it. They didn't :smile: but most users don't enable MFA either.

sahilchopra commented 8 years ago

Any progress for Mongoid 5 support?