Feature Request: Show code to allow adding a second factor with devices without camera

sandstorm / NeosTwoFactorAuthentication

Extend the Neos Backend Login with 2FA

MIT License

12 stars 8 forks source link

Feature Request: Show code to allow adding a second factor with devices without camera #23

Closed Benjamin-K closed 1 month ago

Benjamin-K commented 1 year ago

Current behaviour

Only the qr code is shown to create a new second factor.

Expected behaviour

The code for the second factor will be shown below the qr code. This will enable devices with broken or no camera to add a second factor.

JamesAlias commented 1 year ago

I did a quick search and only found out that in order to use a string instead of a QRCode the user would have to enter the secret of the generated TOTP (wich is very (very) long) "by hand".

example: "FDS32DQWNTQD3OP26JHQG7W6U7YCUAHKFMQ77Q7AZ7LRVVXG2JAWWCHHSK4BEBO24RHN3B4XUVDV226YGKOXFJVVQUXP4VWEGEC3U3I"

Do you know another way?

JamesAlias commented 1 year ago

We could generate a secret that is shorter. But I'm not sure of the security implications right now.

Benjamin-K commented 8 months ago

I'm not sure about the security implications either. But i would also be ok with such a long secret. The secret could be clipped or sth. and only shown completely when clicking a button. Sth like

FDS32DQWNTQD3OP26JHQ... Show code Copy code

What do you think?

Another option would be, to generate a less secure / shorter secret for the string and keep the long secret for the QRCode (maybe by clicking a button below the QR-Code Show code)

JamesAlias commented 3 months ago

@Benjamin-K have a look at #33

Would this work for you?