ShaneMcC
commented
6 years ago We can now do single-use codes.
Will look at Yubikey at some point.
For push-based services I'm thinking that we can do something like:
When we reject an authentication request that requires 2fa, if there is a push-based method added to the account we can return a "supports push" header of some kind.
The calling party (the frontend) can then call a /pushAuth endpoint. That endpoint then triggers the push and waits (long-polling) for a period of time for the push to be approved.
If the push is approved generate a one-time-use temporary internal twofactorkey with a short expiry time and return the code to the user, they can then pass this through as the 2fa key for login.
The temporary internal key can then be removed automatically after being used.
This requires minimal changes to the auth flow then.
2FA workflow sucks a bit.
I dislike having to pick up the phone, open authy, find the right app, then type the code. (Not a unique problem!)
It would be nice to support some other options: