Open calvarado194 opened 10 months ago
https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_Authentication_Cheat_Sheet.html
It's worth pointing out the part where MFA means ≥ 2 of "something you {know,have,are}"—though that's complicated by the delegation of auth to the browser or dedicated hardware.
https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
A note that standard ASP.NET boiler plate MVC templates include 2FA. The database columns already exist. In fact, I had to remove the boiler plate when I started the project. I've never actually used the built in stuff, but assuming it works okay, this shouldn't be an unreasonable amount of work
As it says on the tin!
2FA should not be required except maybe to staff and admins (and even then I'm dubious), but having it at all seems like a sensible choice. I understand implementation is non-trivial, and I'm perfectly ok with this being a long-term project, but I think the benefits are worth at least looking into it.
Of the several choices, I feel either email or TOTP apps are the best way to go about it. Here's some documentation I found from Google Authenticator: https://cloud.google.com/identity-platform/docs/web/mfa