namsral / multipass

Better authentication for HTTP
BSD 3-Clause "New" or "Revised" License
73 stars 4 forks source link

Add OTP to support for 2FA #6

Open namsral opened 8 years ago

namsral commented 8 years ago

Currently Multipass implements the second factor of 2FA, something you own. By Implementing the first factor something you know Multipass would support 2FA.

Multipass core goals (excerpt):

OTP User flow

Upon requesting a login URL a random OTP is generated, encrypted and embedded in the login URL which is then sent to the user. The user is redirected to the confirmation page where the OTP is shown once. At this point the OTP is discarded from the server.
When opening the login URL the user must input the OTP which was shown on the confirmation page. Upon submitting the OTP is verified with the encrypted OTP embedded in the login URL (token).

Requirements

elvarb commented 7 years ago

Using FIDO u2f keys would be perfect here.

For example with this library https://github.com/flynn/u2f