Closed Oxbowatos closed 9 months ago
Hi and thank you for your contribution! I've had some thoughts about TOTP, but held them back since it wouldn't be compatible with the v0 API. Here's my draft from last year (that was never published):
Is your feature request related to a problem? Please describe. Username and Password are no longer optimal protection for internet accounts. For a few years, Time-Based One-Time Passwords have become the de-facto standard to mitigate this.
Describe the solution you'd like
We should use a library that provides the calculations. There are plenty of libraries out there, and we are not the first ones with this problem. Problem is to choose a good one /o\
In addition, we need to find a way to work with API logins which is another can of worms.
Here are some acceptance criteria that are in my mind:
Additional context
Code that can be sent to Email
Equally to sending a code via SMS, this is no longer recommended to reduce Emails being the single point of failure in security systems.
On the Mobile App
Träwelling does not have an official mobile app and won't have one in the foreseeable future. I'd like to keep 2FA to Password Managers and Auth Apps that are built for exactly that.
I guess the APIv0/mobile app issue is resolved since OAuth support has been added
Please also consider FIDO (U2F / FIDO2 / passwordless fido / passkeys / webauthn are all names for basically the same thing).
It's becoming more and more useful, it is phishing resistant, and has enough variants to offer one that would fit the needs of träwelling.
(I personally would vote for single factor u2f. But that's my take on it.)
The user cannot disable TOTP manually, but can write an email to the support to disable it (aka. remove data from the DB). There is no code required to remove the key.
Please let users add and remove multiple second factors as they see fit. For example if you only own one fido hardware token, then you should have a backup method. TOTP comes in nicely there.
If the support team just disables 2FA on a simple mail, then this degrades to "2fa code by email". Basically, if someone 0wns your email account, they 0wn träwelling.
I guess the APIv0/mobile app issue is resolved since OAuth support has been added
Not yet. This issue is resolved if the login/register endpoints are removed from the api, so user need to login via OAuth2 flow at traewelling.de and we can ask for an token directly.
moved to https://github.com/Traewelling/traewelling/discussions/2007
Closing this thread to clean up the issues tab.
moved to discussions #2007
Right now Träwelling using 1FA (Password) but for more Security I would like to have 2FA with a Code that can be sent to Email or through an Authapp.
On the Mobile App it could also possible to add 3FA with Fingerprint Scanning or Face Recognition which could skip 1FA and 2FA.