How to confirm whether the QR code has been scanned?

[fintechee]

Hi,

This is a great package! Amazing.

I just have one question. How can I confirm whether the QR code has been scanned? In case that the user didn't scan the QR, but the server side has registered the secret key, then both side(server side and the MFA APP) couldn't sync the key info. Then the MFA login would fail. How to make the server side notified that the QR has been scanned and the key has registered on the MFA APP?

Many thanks.

[jarretttaylor]

Just to be clear, there is no actual synchronization that occurs between an MFA APP and the server itself. With that in mind, you can give the user a field to enter an MFA APP-generated code and then you can validate their input on the server. If the user-supplied code is valid, enable MFA for the account.

[fintechee]

@jarretttaylor Thank you for your reply. But please consider this scenario: The signed-in user called some REST API on the server side to trigger the process for enabling the MFA, then the server side generated the key for that user and sent the key back in some QR format. Meanwhile, the server side stored the key to prepare and waited for the user's next operation. Then the user checked the QR but because of no enough knowledge, he didn't know how to do and gave up proceeding. But the server side didn't know whether the user scanned the QR if the user didn't submit anything. And the key would be kept being stored on the server side. Then the user couldn't login the next time, because the server checked and found there is a key stored and marked the user as MFA-enabled. In this case, the notification or some confirmation is required.

[jarretttaylor]

Understood. Merely storing the key on the server side and using it as a flag to know that MFA is enabled is insufficient. You need a secondary flag that indicates that MFA is actually enabled for the account. You would not enable the second flag until the user completes the enrollment verification step.

[fintechee]

@jarretttaylor Good idea! Understood. Many thanks.

[samdjstevens]

Thanks for the nice words and glad the package is proving useful for you @fintechee!

As @jarretttaylor has said, there is no communication between the MFA device and the server - for your particular scenario, what most site's do is ask the user to enter 2 codes after scanning in the QR code so that the server knows that the setup worked correctly. This would mean generating the secret, putting the account into a "setting up MFA state", and only fully enabling once the user has entered in the two codes as a confirmation.

[fintechee]

@samdjstevens Many thanks. Understood. Again, this is a great package.