chriskapp
commented
2 years ago As library we could use: https://github.com/antonioribeiro/google2fa since we should use the Goolge Authenticator app. If a user activates 2fa auth for his account, he needs to provide a phone number for his account which we need to verify on configuration. If a user tries to obtain an access token and 2fa is activated then the user needs to activate the access token through the google authenticator app. We probably can use 2fa only for interactions with a human if a script tries to obtain an access token we cant not require 2fa, maybe this can be configured per app in Fusio.
Cale-Torino
We should add 2fa support at the backend and developer app. Users should be able to manually activate this feature by using an app like Google Authenticator where they can scan an QR code at the profile page. If a user makes an login the user needs then to provide an additional code after authentication. We need to find a good way to implement this, i.e. we could still return an access token after login but if 2fa is enabled then the user needs to activate this token before it can be used.