Phoenix 2FA what are you using/can recommend?

What works well in your experience?

Iā€™m not aware of any premade libraries, but since I already have 3 services registered with my ā€œGoogle Authenticatorā€, I googled a bit and found that it implements RFC 6238, also I found a blogpost describing how to implement that RFC in Java.

1 Like

Thanx for the pointer the only thing I was able to locate so far is


guess will need to roll my own :slight_smile:

Some common 2FA strategies are using (in addition to username/password) random letters from a memorable word or a code sent via text message.

You can use services like Nexmo.com or Twilio.com for sending text messages (Iā€™ve used both - though with Ruby).

Let us know how you get on with rolling your own - what kind of strategy are you going to go for?

will try to use POT for starters :slight_smile: i like google authenticator since there is strong ecosystem around it you can use it for 2FA SSH logins etc. so can be a single solution serving many needs.

1 Like

Text messages are considered unreliable (no service) and can get very expensive depending on the volume, also it can take multiple seconds up to minutes until they get delivered.

2FA as described in the RFC works offline as well, assuming the clock of the device is correct.

2 Likes

Yep there are definitely issues. My domain registrar uses texts, my bank uses a memorable word/phrase.

1 Like

How is a static string which can leak as well as a usual password/PIN to be considerable as 2FA?

1 Like

I wondered how effective it would be too - but it seems to be common with banks (well banks here anyway).

Iā€™d love to see how it affects the odds of an account being hacked.

With my bank you get three (or it might be 5) attempts to log-in, after that you get locked out and have no choice but to reset your login (which is done via the post).

1 Like

Post as in Snail-Mail?


In germany usually the last 10 digits of the IBAN (omitting leading zeros) are used as login name, and a freely choosen 5 digit password.

These two allow you to look at the account, but you canā€™t place any order or change data. As soon as you want to change data or place an order you need a TAN (6 digit number) which is valid only for a single request/transaction. Modern TANs are sent via text messages or generated by a device which needs your Bankcard to be able to generate a TAN. Also there seem to be Apps available which work similar to Google Authenticator. For the last 2 versions there is often an animation or Barcode which you need to scan on the page with the generator to sync it to the transaction.

2 Likes

Thatā€™s quite different to here.

They send you a user-id via the post (yep, snail mail) and then you have to set a password (which I think, if memory serves, is done on their site while on the phone to them). You then have to set up your memorable word/phrase (again I think while on the phone to them - so they know itā€™s you).

Once you have that you can do anything. Log in, read statements, request things, apply for changes, make transfers etc. Although I would guess that if you did something that ā€˜raised suspicionā€™ they would block or contact you.

1 Like

I donā€™t know if this counts as 2FA but my bank gives me a 3x3x3 array of numbers in a card, and asks for 3 numbers in 3 random positions. But this is just the same as a password you keep in your wallet, nothing more.

1 Like

It counts as 2FA as soon as it is a second barrier.

If you log in by username/password first and then have to use that matrix in a second pass, then it counts.

1 Like

I log in with username + password and for each operation that moves money I have to use the matrix.

Maybe not exactly what you have in mind, but close.

1 Like

Iā€™ve implemented a login system which supports 2-FA (TOTP, U2F, Email OTP, ā€¦).

Iā€™ve based the whole login logic around ā€œChallengesā€ which are implemented as embedded ecto models (in a session) who references a module. Once created a Session gets assigned the challenges it needs; and when one/many is not ā€œcompletedā€ by the user, I enforce it in a Plug.

Works well and is very flexible (I implemented logins by email; password + 2FA; email + 2FA; password + email logins with it).

1 Like

Nice did you implement TOTP using a lib or from scratch?

I use pot for TOTP and u2f-erl for U2F :slight_smile:

3 Likes

Nice work. fwiw https://github.com/github/SoftU2F, which widens the appeal of u2f a little, at least for osx. Thereā€™s a good writeup of the tradeoffs under Security Considerations.

Redditā€™s databases got nicked bcuz their SMS based 2FA was intercepted by an IMFI catcher.

Just sayin.

Iā€™m using POT for over a year and itā€™s a wonderful addition to other strategies (in our case Google / Microsoft via Ueberauth).

Iā€™ve also contributed a little to pot.