Provide a list of backup codes

aedmonds / Magento-Two-factor-Authentication

Should be time-based or counter-based (HOTP/TOTP), and support the Google Authenticator mobile app.

https://github.com/orgs/magento-hackathon

7 stars 1 forks source link

Provide a list of backup codes #16

Open andrew-dwyer opened 10 years ago

andrew-dwyer commented 10 years ago

Generate a list of backup codes for users to use when they don't have access to the Google Authenticator app. This should work the same way it does with Google account. https://support.google.com/accounts/answer/1187538

aedmonds commented 10 years ago

I was thinking about this one back when we did the major refactoring. My thought is that we could generate 10 unique codes, store it as an encrypted array in an additional column in the user table. When a user uses one of the backup codes, it validates against the array. If it matches one of the values in the array, that value is removed from the array and saved back to the user table.

We may also want to include an email notification that alerts the user that a backup code was used.

andrew-dwyer commented 10 years ago

I was thinking along the same lines. We'll also need to provide functionality to regenerate the 10 codes when required. If I get some time I'll make a start on it