Two-factor authentication

[jace]

Lastuser needs two-factor authentication for anyone using their account to manage important data. Implementing it requires:

1. Support for verifying mobile numbers and sending text messages to mobile numbers anywhere in the world, or making phone calls to read out codes (Twilio SMSes don't reach Indian numbers that are in the DND registry).
2. Support for Google Authenticator as a mobile app.
3. A mechanism by which to reset account access if the user has lost their credentials (phone/email).

[jace]

References: https://www.tbray.org/ongoing/When/201x/2013/06/24/Two-Factor https://code.google.com/p/google-authenticator/wiki/KeyUriFormat http://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm

[jace]

Fido U2F (Universal 2nd Factor) is a new standard that uses a hardware key and support from the browser itself (currently Chrome 38+) to ensure the OTP is site-specific and so can't be collected by a phishing site. Google, GitHub and Dropbox already support this standard. Lastuser should too.

Fido specs: https://fidoalliance.org/specifications/download/ Fido videos: https://fidoalliance.org/adoption/videos/ GitHub announcement: https://github.com/blog/2071-github-supports-universal-2nd-factor-authentication

[jace]

Authy provides a wrapper API for 2FA that covers most of our requirements. If the user has the Authy app installed, they get a code within the app instead of an SMS.

As Authy's API runs on Twilio, there's an important factor with delivering to Indian numbers: by default Twilio sends promotional SMSes, which won't deliver to DND numbers. Switching to transactional requires explicit approval via customer support. Twilio's billing may also be considerably more than Exotel (to be verified).

If the user has the Authy app installed, the app acts as a proxy for the phone, but can also be installed and logged into the same account from other devices. This means the phone number has not actually been verified. This impacts the verified_at column defined in #178.