deweller
commented
9 years ago I'd like to separate authentication into it's own service.
This is because tokenly will eventually have many discreet services that require authentication. The forum is one service, auctions and vending machines are another service.
I mention it here because 2FA may make sense in a new centralized authentication service rather than just for the forums and content app.
cryptonaut420
This one shouldnt be too hard. We will be using google authenticator for this. In user account settings, there should be an option to "Enable 2FA". If clicked, brings up a newly generated secret key + QR code for them and an input for them to enter a code. Once they scan their secret key and put in the first authentication code, it should mark their account as having 2FA enabled and save the secret (this can be done with the user_meta table). They should be able to go back to account settings later and disable 2FA after entering their password again
Add an additional input on the login page for 2FA codes with a placeholder "enter 2FA code if enabled". If they have it enabled, check that code on login to complete authentication.
This should also be added to the authentication methods in the API, and also to the account settings API endpoint (API endpoint to enable or disable 2FA).
PHP class for google authentication: https://github.com/PHPGangsta/GoogleAuthenticator