On the TOTP thing, for now there’s no de-facto standard in the world of XMPP AFAIK. It’s fairly easy to implement server-side though, as we did for Crisp (that’s one morning’s work server-side), so my take is that I’ll write a Prosody module for that, which will then issue server-side re-usable tokens, which I think is much better than storing an account’s master password locally.
I’ll dig more onto the server side implementation details later on, as it’s definitely a best practice to do TOTP at login + then store permanent session tokens, that can be remotely revoked anytime.
Excerpt from our conversations for the record:
On the TOTP thing, for now there’s no de-facto standard in the world of XMPP AFAIK. It’s fairly easy to implement server-side though, as we did for Crisp (that’s one morning’s work server-side), so my take is that I’ll write a Prosody module for that, which will then issue server-side re-usable tokens, which I think is much better than storing an account’s master password locally.
I’ll dig more onto the server side implementation details later on, as it’s definitely a best practice to do TOTP at login + then store permanent session tokens, that can be remotely revoked anytime.