Support two factor authentication

[sorki]

Multi factor auth (MFA) or two-factor auth (2FA) would be a nice addition to hackage-server. Both for its account management page and cabal upload functionality.

There seems to be three related libraries on Hackage:

• https://hackage.haskell.org/package/OTP
• https://hackage.haskell.org/package/crypto-totp
• https://hackage.haskell.org/package/gamgee (no go due to polysemy I guess)

As a minimal implementation, account management page would allow user to add a TOTP token via a QR code.

QR code related packages:

• https://hackage.haskell.org/package/qrcode-core
• https://hackage.haskell.org/package/qrcode-juicypixels

Suggestions welcome! I'm willing to work on this myself, would also appreciate co-authors since this requires a PRs for both hackage-server and cabal (and possibly for one of the OTP libraries).

[gbaz]

Other people raised this recently too -- especially in light of pypi moving to 2fa https://discuss.python.org/t/announcement-2fa-requirement-for-pypi-2024-01-01/40906

working towards a 2fa story sounds well worth it and would be a welcome pr.

[arianvp]

There is also https://hackage.haskell.org/package/webauthn by yours truly . For Yubikeys and passkeys