search

MCWertGaming / authfox

AuthFox - a simple authentication and session server for Puroto, archived
GNU General Public License v3.0
5 stars 1 forks source link

Add 2FA functionality #36

Open MCWertGaming opened 2 years ago

MCWertGaming commented 2 years ago

2FA would be a nice thing to protect user accounts. Thing to implement would be:

Things we could consider:

fwuffyboi commented 2 years ago

What about SMS verification? Or is that a bad idea because sim swapping?

MCWertGaming commented 2 years ago

The thing with SMS 2FA is that it's not that secure due to sim swapping (depending on your network provider of course), but also the technical implementation. We would need some system for sending SMS messages through a mobile network operator and then might have to deal with many things. For example most SMS provider are blacklisting phone numbers when they send the same message (with different numbers) multiple times, because it's also something used to send people spam and phishing.

So yeah. Also I guess that everyone has a phone for using TOTP using google authenticator or freeOTP. If someone is really worrying about security, they should just buy a yubikey or some security token that supports FIDO2 / Authn and then use it for 2FA.

Authn passwordless is really interesting and tested by microsoft at the moment. It's basically replacing the password with the security token. This way you would enter your username / email and then confirm your identity with your security token. Cloudflare is testing that currently as replacement for reCaptcha to stop the waste of hours of humanity for human verification.

So yeah idk, but I think that TOTP and FIDO2 / Authn is the most important for now. When we have that, we can discuss other methods ^^

fwuffyboi commented 2 years ago

Ah, @MCWertGaming. That makes sense. If you was to implement it I would recommend firebase, to my knowledge they have a lot of authentication methods you can add to your app such as phone messaging and others like a Google account sign up/link/login.

MCWertGaming commented 2 years ago

Personally, I don't like the data mining done by google. But we have discussed third party authentication sources internally and @Alekuso told me that Puroto won't have that. In the end I'll probably allow users to do that nevertheless because why not. People don't have to create accounts everywhere of course - while that still means that we have to manage sessions etc in authfox of course.

Does firebase offer SMS? Never heard of that idk. But for new I'd stick with TOTP and FIDO2 and later the ability to create a account using GitHub / google / idk. I'd also add the ability of using OpenID Connect in authfox as well so third party services can do a "Sign in with Puroto" option. That would be cool I think.