Two-factor authentication

[calvarado194]

As it says on the tin!

2FA should not be required except maybe to staff and admins (and even then I'm dubious), but having it at all seems like a sensible choice. I understand implementation is non-trivial, and I'm perfectly ok with this being a long-term project, but I think the benefits are worth at least looking into it.

Of the several choices, I feel either email or TOTP apps are the best way to go about it. Here's some documentation I found from Google Authenticator: https://cloud.google.com/identity-platform/docs/web/mfa

[YoshiRulz]

https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_Authentication_Cheat_Sheet.html

It's worth pointing out the part where MFA means ≥ 2 of "something you {know,have,are}"—though that's complicated by the delegation of auth to the browser or dedicated hardware.

https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API

[adelikat]

A note that standard ASP.NET boiler plate MVC templates include 2FA. The database columns already exist. In fact, I had to remove the boiler plate when I started the project. I've never actually used the built in stuff, but assuming it works okay, this shouldn't be an unreasonable amount of work