MFA push notifications in combination with selfhosted ntfy (=DIY Authy)

[alexanderadam]

I'm not quite sure whether this is possible and whether the issue title explains properly what this is about. The general idea is to improve usability for 2FA.

So for 2FA users might have to unlock their mobile phone, open FreeOTPPlus+, search the relevant application and then they can actually start to type in the code manually or copy the code. However, the company Twilio created a smart solution for making this work-flow easier: Authy. Authy's workflow goes as follows:

the application calls Authy when it wants 2FA assurance. Using Apple or Google, Authy sends a push notification to the user’s device, which improves the user’s experience by leading the user to the mobile app. This push notification does NOT contain the transaction details.

This work-flow sounds great and clearly removes friction. But currently it relies on a proprietary and uncontrollable service. Such as most push notification infrastructures. However, there's ntfy. And this work-flow obviously relies on push infrastructure anyway.

Therefore it would be nice to also have a free and FOSS solution to improve people's security and make their lifes easier.

Without knowing any details about Android development I would guess that it would need these things:

1. The server must have an integration possibility so that services and applications can actually provoke this. The best way would probably to mimic the Authy API, since other developers only would have to give the config option to change the API URL then. I created an ntfy issue for that.
2. Either FreeOTP+ can fetch the push notification directly or it needs to be done with the ntfy Android app as a proxy but there should be a possibility to open a particular entry from FreeOTP+ app (maybe it would be good to discuss that with the ntfy maintainer [Discord / Matrix]). Maybe it would work with a custom schema (_i.e. otpauth://totp/some_email_provider and something like this might be relevant too_).

I'm fully aware that this is a lot to ask but improving security and its usability for people believing in free software is a probably worth a try.

PS: Thank you so much for maintaining FreeOTP+ :raised_hands:

[helloworld1]

I have used some solutions like Microsoft Authenticator and Okta Verify, which are similar to Authy, that sends push notification for verification. The main question is that whether the developers will use this solution. I know it is a chicken an egg problem, but I think that would be a more difficulty ask since it is unlikely for large providers like Github, Google or Microsoft to use it.

[alexanderadam]

The main question is that whether the developers will use this solution. I know it is a chicken an egg problem, but I think that would be a more difficulty ask since it is unlikely for large providers like Github, Google or Microsoft to use it.

Yes, absolutely. It's not even meant for proprietary services. This is a feature that would be rather useful for hosting Open Source software. It's probably much easier to get it into projects like GitLab, OpenProject, Mattermost, GlitchTip, Vaultwarden, Nextcloud etc

And it would probably even have a much higher impact with identity applications like KanIDM, Authelia, Authentik, Keycloak and others.