Two Factor Login (2FA) with TOTP

[Oxbowatos]

Right now Träwelling using 1FA (Password) but for more Security I would like to have 2FA with a Code that can be sent to Email or through an Authapp.

On the Mobile App it could also possible to add 3FA with Fingerprint Scanning or Face Recognition which could skip 1FA and 2FA.

[jeyemwey]

Hi and thank you for your contribution! I've had some thoughts about TOTP, but held them back since it wouldn't be compatible with the v0 API. Here's my draft from last year (that was never published):

---

Is your feature request related to a problem? Please describe. Username and Password are no longer optimal protection for internet accounts. For a few years, Time-Based One-Time Passwords have become the de-facto standard to mitigate this.

Describe the solution you'd like

We should use a library that provides the calculations. There are plenty of libraries out there, and we are not the first ones with this problem. Problem is to choose a good one /o\

In addition, we need to find a way to work with API logins which is another can of worms.

Here are some acceptance criteria that are in my mind:

• [ ] A user can optionally decide to use TOTP for their account.
• [ ] There is a User Interface which offers a QR Code and a copyable secret.
• [ ] The TOTP function only becomes active after the user has activated it using a OTP. We can thus assume that the user has properly set up their second factor device.
• [ ] After a username/password login, the user needs to provide a correct OTP code. Only after that, the Login is complete.
• [ ] There is only one active TOTP secret for each user.
• [ ] After a successful login, the user can register a new TOTP device which removes the old device. The new device needs to be activated though, if the activation is cancelled, the old TOTP secret stays in effect.
• [ ] The user cannot disable TOTP manually, but can write an email to the support to disable it (aka. remove data from the DB). There is no code required to remove the key.
• [ ] The TOTP secret is not published via the API.

Additional context

• RFC 6238 -- TOTP: Time-Based One-Time Password Algorithm

---

Code that can be sent to Email

Equally to sending a code via SMS, this is no longer recommended to reduce Emails being the single point of failure in security systems.

On the Mobile App

Träwelling does not have an official mobile app and won't have one in the foreseeable future. I'd like to keep 2FA to Password Managers and Auth Apps that are built for exactly that.

[DRSchlaubi]

I guess the APIv0/mobile app issue is resolved since OAuth support has been added

[ChristianTacke]

Please also consider FIDO (U2F / FIDO2 / passwordless fido / passkeys / webauthn are all names for basically the same thing).

It's becoming more and more useful, it is phishing resistant, and has enough variants to offer one that would fit the needs of träwelling.

(I personally would vote for single factor u2f. But that's my take on it.)

The user cannot disable TOTP manually, but can write an email to the support to disable it (aka. remove data from the DB). There is no code required to remove the key.

Please let users add and remove multiple second factors as they see fit. For example if you only own one fido hardware token, then you should have a backup method. TOTP comes in nicely there.

If the support team just disables 2FA on a simple mail, then this degrades to "2fa code by email". Basically, if someone 0wns your email account, they 0wn träwelling.

[MrKrisKrisu]

I guess the APIv0/mobile app issue is resolved since OAuth support has been added

Not yet. This issue is resolved if the login/register endpoints are removed from the api, so user need to login via OAuth2 flow at traewelling.de and we can ask for an token directly.

[jeyemwey]

moved to https://github.com/Traewelling/traewelling/discussions/2007

Closing this thread to clean up the issues tab.

[MrKrisKrisu]

moved to discussions #2007