Open waltertamboer opened 7 years ago
I agree it would be very useful, especially for those who are...more security conscience.
The main thing to consider is what device to use: a smartcard type device (gpgcard, Yubi key) with some fingerprint or cert, a smartphone app or a OTP (like google authenticator or SMS).
Using SMS would require ongoing cost.
My personal preference would be to support hardware devices like Yubikeys (because I use one :) ) and an open source smartphone app that provides One Time Passcodes.
I'm searching for figures on the most widely used implementations, but haven't found anything yet. The best so far I can find is:
In terms of UI design there will (more than likely) be design patterns that can be used for these interactions. Its probably best to copy already used patterns as there's a better chance they'll be familiar to users.
Good feedback, thanks! I think we should start with an OTP implementation in combination with a smart phone app. Simply because it's the easiest to implement (I've done it before). I would definitely prefer to implement all variants. Personally I don't own a hardware device so making an implementation is a bit difficult for me.
Good feedback, thanks!
No problem. You're welcome!
I think we should start with an OTP implementation in combination with a smart phone app.
Agreed.
Personally I don't own a hardware device so making an implementation is a bit difficult for me.
It's very easy to get one. Yubico often give them away at conferences, events. Possibly at FOSDEM next year if you're there.
I'll try and find some examples of design patterns for their use.
As an extra layer of security we will support 2FA. Github has described a nice way of handling 2FA in combination with OAuth.
https://developer.github.com/v3/auth/#working-with-two-factor-authentication