Open rugk opened 6 years ago
Would be great.
Note that most YubiKeys also support U2F, so that would enough to support, is not it? But anyway, TOTP should get first as it is easy and can be used by anyone.
TOTP should be priority, I agree with that too. TOTP can be used without dedicated hardware, but FIDO, you need hardware keys (i.e. Yubikeys).
Most of the site with FIDO sets TOTP as a fallback, like GitHub and/or Facebook.
I don’t think Yubico OTP is really needed. Most YubiKeys support U2F. Some statistics would be nice with the ratio of U2F enabled to all Yubikeys.
A side note on U2F: even Google Authenticator supports it on Android (it’s not hardware, per se, but it’s limited to platforms where Authenticator can run). Browser support is also limited as of now.
As a conclusion, I also vote for TOTP + backup codes (although I think U2F would also be a great addition.)
I would like to see this as well. For me u2f/fido/fido2 should be priority. There are now open-source keys available. I'm willing to buy someone a key (yubikey or solokey) if they'll implement.
Are there any news? For a site involving money, 2FA is a must-have. TOTP is basic yet is very effective and very well-supported.
Is this a django app? If so I can recommend https://github.com/xi/django-mfa3
It is very sad to see that for 2 years there has been no priority or awareness of how important account security is.
Would you prefer to have Webauthn as a second factor or as the only factor (but with user verification on device) as described in https://github.com/liberapay/liberapay.com/issues/2163?
@mimi89999 I personally would prefer it as a second factor.
Not sure if requiring some thing like TwoOff(password, webauthn, 2fa) code is worth the trouble to give users the choice.
But for me, at this point at least I'm not sure I'd use WebAuthn as a replacement for passwords.
with User Verification on Device On some devices, this is a simple as touching the device (e.g. YubiKeys) and does not provide the extra biometric validation.
You can implement both. The user can add it as a second factor as the only factor for login.
She e.g. how nextclpud has implemented it: https://github.com/nextcloud/twofactor_webauthn
If you have to decide I would also prefer the safe version as 2FA IMHO. But that may just be my personal "taste"/preference.
@rhamzeh
On some devices, this is a simple as touching the device (e.g. YubiKeys) and does not provide the extra biometric validation.
It depends on the value of https://www.w3.org/TR/webauthn-2/#enum-userVerificationRequirement and whether the https://www.w3.org/TR/webauthn-2/#uv flag is verified.
Is this a django app? If so I can recommend https://github.com/xi/django-mfa3
~Any word on whether or not this is a viable option?~ No, I took the time to actually read the README.
I've been trying to find something done for Pando, but nothing comes up. Should be possible to roll something competent using PyOTP.
I went ahead with this: #2195
TOTP + recovery codes is a must, otherwise anyone who saves a payment method is essentially one correct guess away from having their credit card abused. U2F is very good to have, but if it's too much of a hassle then it's best to get TOTP out of the gate first and then U2F. But there should be some sort of 2FA as soon as possible.
Does anyone know what the requirements are for setting up [2FA]: TOTP?
I would also like to see this implemented as having TOTP enabled would give others and myself some additional peace of mind when it comes to security when using Liberapay in contrast to some of the other sites that already provides this security feature
2FA is a big and great mechanism for improving the security of your account. As Liberapay is about money, it should really have this.
See https://www.turnon2fa.com/ for common explanations of what it is.
How I'd say it is good to do:
What you can do:
What do do not need to care about:
What you must not do: