Making validation a two step process

heroku / heroku-two-factor

Deprecated - see our updated docs.

https://devcenter.heroku.com/articles/two-factor-authentication

0 stars 0 forks source link

Making validation a two step process #34

Closed friism closed 10 years ago

friism commented 10 years ago

prompt for username/pass
validate that shit
send SMS (if enabled)
prompt for 2FA code
validate that shit
you're in

pedro commented 10 years ago

Humm interesting to think about this – is it describing the client flow or the API behavior?

The API behavior is a bit more complicated to make in two step because http is stateless/etc. So from our perspective the api is "POST /apps"; it's not really going to be a two step process, but the end result is similar:

Check if the user/pass is good. Fail if not.
Check if the 2fa header is good. If not:
- Send the code via SMS if the user has it enabled
- Then fail giving the client a hint that 2fa didn't work

From the client perspective then there's not a explicit API to request a SMS 2fa code.

brandur commented 10 years ago

@friism Can you explain the advantages of this over what we have today? I think of today's process as two step with just as smooth of a user experience.

User initiates 2fa:enable: a QR code is displayed and scan.
User is prompted for user/pass/two factor code. 2FA becomes fully activated.

friism commented 10 years ago

@brandur I think the problem I have with doing it in one go is that I'm not told whether I fucked up the password or whether I fucked up the 2fa code, but maybe that was adressed some other place?

Also this is not the enable flow, but the normal login flow.

brandur commented 10 years ago

@friism Oh doh, I see now. I think the error message added in heroku/heroku-two-factor#40 will help improve clarity here a lot. Thoughts?

friism commented 10 years ago

Cool! Closing.

brandur commented 10 years ago

Woot! Thanks Friis.