chiiya
commented
2 years ago Were you thinking of letting the users themselves control this? Because in that case I would prefer proper TOTP-based 2FA, somewhat similar to this package.
Open realslimsutton opened 2 years ago
chiiya
commented
2 years ago Were you thinking of letting the users themselves control this? Because in that case I would prefer proper TOTP-based 2FA, somewhat similar to this package.
realslimsutton
commented
2 years ago Yeah that's what I was thinking, however the downside of having proper TOTP-based 2FA is isn't not particuarly user-friendly for users who aren't familiar with that technology, or aren't "tech savvy" likely won't have this setup properly.
2FA is obviously not as secure as a proper TOTP-based 2FA, but it is a middle-ground for a specific audience as it offers additional security (over no 2FA, and not as much as a full solution) and is simple and straight foward for the majority of users.
This package could potentially become a compliment to the package you mentioned (as in you use this package and the other in conjunction) or an outright replacement by offering both options (email-based and TOTP-based) 2FA.
chiiya
commented
2 years ago I would be fine with a solution offering both variants. In any case, it should definitely be configurable whether users can disable 2FA themselves or not, since at least for us it's sometimes a security requirement to have mandatory 2FA.
I think the best case scenario would be:
Would you consider adding an option for toggling 2FA on or off on a per-user-basis?
So, "User A" might have 2FA enabled and will be prompted to confirm the code as how you've got it now. However, "User B" might have 2FA disabled and after logging in, will be logged straight in.
I can create a PR if you're open to this feature request.