My1
commented
4 years ago SQRL
I wasnt even aware that SQRL is out of beta/experimental/whatever by now. cool. while I generally prefer U2F/Fido2, SQRL is nicely designed in theory but it probably needs quite a bit of work to implement all the details, while with especially WebAuthn, the biggest problems are already done by browsers and a LOT of different PHP libraries with some being more and some being less easy.
in fact I was able to code a sandbox for Webauhn and U2F in not too much time afair.
on the other hand SQRL needs no JS to function which is a big plus in general, especially if you have ugly internet (ever tried 64 kbit/s, I dont recommend) although granted at least on wordpress that is basically a moot point, especially when we are talking about doing stuff in the backend.
on yet another hand is the obvious advantage that you dont need a piece of hardware (which can be quite cheap tho with a little bit of luck as low as 5€), but also disadvantage that the key's security is only as strong as the complete security of the OS and all of the thing holding the key (especially on windows and android I am not thinking this is overly awesome), however U2F on software can already achieved with things like krypt.co
the biggest point however:
also I think SQRL is a little out of scope for this project as this project provides a second factor in addition to the password, while SQRL is supposed to be a complete login by itself (similar to FIDO2 with UV enabled or with RKs as well) with you generally not needing to enter even as much as a username as the private key provides identification.
Threema
This seems to be a much better fit for this as this is quite similar to SMS and all, but as it is a thing that
1) costs money 2) relies on an external service
this can easily lead to lockouts which sux and therefore should be something planned to get out if needed.
iandunn
The only really secure option (against common online attacks) is the FIDO U2F option.... the rest is better than nothing.
With these in mind I would suggest:
1) SQRL (Secure Quick Reliable Login) support. These is similar to FIDO/ FIDO2 but with more features and software support (already) in the major OS platforms. The two-factor plugin needs to get the Ed25519 public key from the user and after that request some gibberish to be sign by it for comparison. More info in the free and open protocol here: https://www.grc.com/sqrl/sqrl.htm
2) Threema (Gateway) support. Threema is one of the few available Messenger App completely made from the ground up with both security and privacy in mind (including no demand for e-mail/ phone number). While is not free, is just a small one time fee for the final users. These is still more secure than e-mail, TOTP and backup codes. The web site operator needs to pay Threema Gateway credits to use the network API. Since many already pay to send insecure SMS messages that should not be a problem for many of them. The idea is to use the Threema gateway network to send some random generated code to the user Threema ID (similar to what would be done to the e-mail). More info at: https://gateway.threema.ch