Add 2FA (two factor authentication)

[adriaandotcom]

Add 2FA so people can login with an additional check.

Thanks to @mahnouel

[RihanArfan]

Along with conventional TOTP, you could support WebAuthn in order to support Windows Hello, U2F Hardware keys such as Yubikey, etc.

[adriaandotcom]

Great suggestion, let's add that as well.

[khrome83]

Authy is a nice integration for soft tokens. Not sure the cost or how much it ties you to Authy.

[adriaandotcom]

Thanks @khrome83, could you explain how Authy is different from using Google Authenticator? You can use them both in the same manner, right?

[khrome83]

A few things.

1. They have a integration directly with a provider. So sendgrid uses them, and its a 7 digit code. The setup is also different because of that.

2. They ask for a master password. And they persist across device. If you use Google Auth, the recovery gets harder if someone looses there phone. With Authy the user just sets up the account on the new phone.

Also... google..

[RihanArfan]

Also... google..

Google Authenticator is fully offline.

Authy is easily vulnerable to sim swapping attacks if you sync it with a phone number, however, if you just use it offline it's pretty much the same as Google Authenticator.

I used to use Authy because some sites like Cloudflare forced you to use them if you wanted 2FA and after a while, I absolutely hated it and would not recommend forcing people to use it.

[khrome83]

Google Auth does not have any recovery between devices. You’re stuck with recovery keys as the only recourse which many apps don’t provide.

---

Zane Milakovic On Mar 30, 2020, 11:16 AM -0500, LeCodeCo notifications@github.com, wrote:

Also... google.. Google Authenticator is fully offline. Authy is easily vulnerable to sim swapping attacks if you sync it with a phone number, however, if you just use it offline it's pretty much the same as Google Authenticator. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

[RihanArfan]

@khrome83 Google Auth has recently gotten a pretty big update which lets you import from other devices.

[khrome83]

I saw. I am also considering switching to Dashlane so everything is unified in my password manager. On Jun 1, 2020, 8:14 AM -0500, LeCodeCo notifications@github.com, wrote:

@khrome83 Google Auth has recently gotten a pretty big update which lets you import from other devices. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

[adriaandotcom]

Note to self: Guide to implement hardware keys: https://webauthn.guide/

See https://github.com/simpleanalytics/roadmap/issues/668 for duplicate issue.