AnnikaCodes
commented
1 year ago I spoke to Zarel about this and we agreed that email-based password resets (smogon/pokemon-showdown-loginserver#2) should be implemented before this, so users have a way to reset their accounts if they lose their TOTP source.
I am not sure if I should do the PR for the client patch since the dev loginserver is staff only at the moment. But here is that repo/branch: https://github.com/tmagicturtle/Pokemon-Showdown-Client/tree/patch-7
Requires 1 dependency: "2fa-util". It has two deps of its own, otplib and qrcode, and is a single MIT licensed file, so we can use it directly instead of requiring as a node package. But it carries much of the work - it securely generates TOTP secrets, handles verifying TOTP tokens, and generates QR codes for the end-user to scan in their 2FA app.
Functioning demonstration video: https://www.youtube.com/watch?v=znuIBtmO-R8