Add 2-factor authentication using Authy (or U2F)

ezekg commented 7 years ago

Would need to adjust the token creation flow to ask for a 2-factor code before issuing a token, which is kind of weird and non-RESTful but idk any other way.

ezekg commented 7 years ago

When generating tokens, accounts with 2FA should require an OTP, e.g.:

Request

curl -X POST https://api.keygen.sh/v1/accounts/afe5587d-a3d9-4669-919b-db55f448dc17/tokens \
  -H 'Content-Type: application/vnd.api+json' \
  -H 'Accept: application/vnd.api+json' \
  -u '{EMAIL}:{PASSWORD}'

Response

HTTP 422
{
  "errors": [
    {
      "title": "Two-factor authentication token required",
      "detail": "must be a valid 2FA token",
      "code": "2FA_REQUIRED",
      "source": {
        "pointer": "/meta/otp"
      }
    }
  ]
}

Request 2

curl -X POST https://api.keygen.sh/v1/accounts/afe5587d-a3d9-4669-919b-db55f448dc17/tokens \
  -H 'Content-Type: application/vnd.api+json' \
  -H 'Accept: application/vnd.api+json' \
  -u '{EMAIL}:{PASSWORD}'
  -d '{
        "meta": {
          "otp": "123456"
        }
      }'

Response 2

HTTP 201
{
  "data": {
    "id": "6a7562be-b302-43d2-a550-30d6026247aa",
    "type": "tokens",
    …
  }
}

ezekg commented 6 years ago

U2F might be a better (and cheaper) option here.

ezekg commented 6 years ago

I think we can use Authy without Twilio i.e. for free. The QR code needs to contain this data:

otpauth://totp/zeke%40keygen.sh?secret=SECRET&issuer=Keygen

Here's a good lib: https://github.com/mdp/rotp.

Not sure how to add our logo yet, though.

ezekg commented 5 years ago

keygen-sh / keygen-api