Add official 2FA support to Accounts

[juho]

Adding 2FA into Accounts would be a great thing.

We've currently patched in our own version of dburles:two-factor from @dburles with SMS and OTP support, but I think it could be extended into e-mail as well. The feature requires some work. I've put in the most important one, allowing Accounts.resetPassword to not log the user in immediately, as another feature request as it's something that I think should be done sooner than later.

I'd be interested in starting a PR for accounts-password-2fa if @dburles is fine with this, contributing the stuff we've patched in for SMS and OTP (it needs some cleaning up). Making the system a drop-in thing with an easy validator that you can use for Twilio / Nexmo, along with built-in TOTP and e-mail support would be something to do first.

Doing this as an official package with recommendations in the Guide would be the best to position the Accounts system as something secure and ready to go to production.

I can iterate more on my thoughts on how it should function if there's interest and you lot think this is a good idea in the first place.

[afrokick]

@juho Do you have a plan to work on it? I found a tutorial about integration otplib. It will be very cool to have a native support for 2fa in Meteor.

[juho]

No plan currently - our app has this implemented but it's a patch over existing modules so I can't just publish those easily. Considering you're the first one that commented, it doesn't seem like there is a huge demand for out-of-the-box 2FA - yet. We should keep this open in case someone wants to take this on though.

[yorrd]

honestly, we decided not to do it, because it's just more work than expected atm. If there was a ready-to-use implementation, we would have probably included it in several apps now

[juho]

@afrokick @yorrd I recommend checking https://github.com/dburles/meteor-two-factor out. it's not that hard to wire in your own authy/nexmo verification to it if you NEED 2FA now. The biggest hurdles with this whole thing would be to make it secure across password changes, resets and 2fa enables/disables- providing those helper functions is most of the work as it needs to change how the existing password changes and resets in Accounts work to provide for a hook for 2FA to be requested. Again, we've implemented these internally but we also work with our own fork of Accounts entirely which will not translate to a PR super easily as it's touching a bunch of packages.

As far as I see, at least these need to be figured out:

• How to hijack login, password change, password reset in Accounts while 2FA is enabled? A hooks system might be overkill if the implementation were to be native - it could be checking for a Meteor.settings value instead.
• Is SMS support in the implementation? If so, with what service?
• Is OTP support in the implementation?
• Generating and storing OTP tokens

[harryadel]

I'd like to second @juho recommendation of using dburles/meteor-two-factor. We managed to implement FIDO 2FA authentication. It's totally doable! But, even so, it was somewhat hacky solution.