2 Factor Authentication for the portal

[ei-nghon-phoo]

User Story:

As a user concerned about the security of my account, I want to enable two-factor authentication using an authenticator app for accessing admin portal so that I can add an extra layer of security to my account and ensure that only I have access to it, even if my password is compromised.

Acceptance Criteria:

• Enabling 2-Factor Authentication:

  • Given that I am a registered user, enabling 2FA should be a mandatory step to follow.

• Authenticator App Option:

  • Given that I choose to enable two-factor authentication,
  • Then, the system should provide an option to use an authenticator app.

• Unique QR Code for Each User:

  • Given that I select the authenticator app option,
  • Then, the system should generate a unique static QR code specific to my user account.

• Scanning QR Code:

  • Given the generated QR code,
  • When I use my authenticator app to scan the QR code,
  • Then, the app should successfully add my account for two-factor authentication.

• Verification Process:

  • Given that I have successfully scanned the QR code,
  • Whenever I log in with my username and password,
  • Then, the system should prompt me to enter the authentication code generated by the authenticator app.

• Authentication Code Validation:

  • Given that I enter the authentication code from the app,
  • When I submit the code,
  • Then, the system should validate the code and grant access if the code is correct.

• Backup Options:

  • Given that I enable two-factor authentication,
  • Then, the system should provide backup option such as contacting to administrator to reset the account in case I lose access to the authenticator app.

• Error Handling:

  • Given any errors during the two-factor authentication setup,
  • Then, the system should display clear and user-friendly error messages such as "invalid authentication code, please try again".

[bushjames]

Consultation with product council recommended to decide if 2FA should be enabled by default and require definite action to disable. On agenda for PC call 27 Feb 2024.

[bushjames]

Issue raised with product council. Discussion on the PC call (27 Feb 2024) concluded that 2FA for all portals should be supported in any "off-the-shelf" mojaloop version, enabled by default and requiring action to disable. This follows a "fail safe" and "secure by default" approach. Some further discussion of this topic is possible over the coming few days.