What works well in your experience?
Iām not aware of any premade libraries, but since I already have 3 services registered with my āGoogle Authenticatorā, I googled a bit and found that it implements RFC 6238, also I found a blogpost describing how to implement that RFC in Java.
Thanx for the pointer the only thing I was able to locate so far is
guess will need to roll my own
Some common 2FA strategies are using (in addition to username/password) random letters from a memorable word or a code sent via text message.
You can use services like Nexmo.com or Twilio.com for sending text messages (Iāve used both - though with Ruby).
Let us know how you get on with rolling your own - what kind of strategy are you going to go for?
will try to use POT for starters i like google authenticator since there is strong ecosystem around it you can use it for 2FA SSH logins etc. so can be a single solution serving many needs.
Text messages are considered unreliable (no service) and can get very expensive depending on the volume, also it can take multiple seconds up to minutes until they get delivered.
2FA as described in the RFC works offline as well, assuming the clock of the device is correct.
Yep there are definitely issues. My domain registrar uses texts, my bank uses a memorable word/phrase.
How is a static string which can leak as well as a usual password/PIN to be considerable as 2FA?
I wondered how effective it would be too - but it seems to be common with banks (well banks here anyway).
Iād love to see how it affects the odds of an account being hacked.
With my bank you get three (or it might be 5) attempts to log-in, after that you get locked out and have no choice but to reset your login (which is done via the post).
Post as in Snail-Mail?
In germany usually the last 10 digits of the IBAN (omitting leading zeros) are used as login name, and a freely choosen 5 digit password.
These two allow you to look at the account, but you canāt place any order or change data. As soon as you want to change data or place an order you need a TAN (6 digit number) which is valid only for a single request/transaction. Modern TANs are sent via text messages or generated by a device which needs your Bankcard to be able to generate a TAN. Also there seem to be Apps available which work similar to Google Authenticator. For the last 2 versions there is often an animation or Barcode which you need to scan on the page with the generator to sync it to the transaction.
Thatās quite different to here.
They send you a user-id via the post (yep, snail mail) and then you have to set a password (which I think, if memory serves, is done on their site while on the phone to them). You then have to set up your memorable word/phrase (again I think while on the phone to them - so they know itās you).
Once you have that you can do anything. Log in, read statements, request things, apply for changes, make transfers etc. Although I would guess that if you did something that āraised suspicionā they would block or contact you.
I donāt know if this counts as 2FA but my bank gives me a 3x3x3 array of numbers in a card, and asks for 3 numbers in 3 random positions. But this is just the same as a password you keep in your wallet, nothing more.
It counts as 2FA as soon as it is a second barrier.
If you log in by username/password first and then have to use that matrix in a second pass, then it counts.
I log in with username + password and for each operation that moves money I have to use the matrix.
Maybe not exactly what you have in mind, but close.
Iāve implemented a login system which supports 2-FA (TOTP, U2F, Email OTP, ā¦).
Iāve based the whole login logic around āChallengesā which are implemented as embedded ecto models (in a session) who references a module. Once created a Session gets assigned the challenges it needs; and when one/many is not ācompletedā by the user, I enforce it in a Plug.
Works well and is very flexible (I implemented logins by email; password + 2FA; email + 2FA; password + email logins with it).
Nice did you implement TOTP using a lib or from scratch?
Nice work. fwiw https://github.com/github/SoftU2F, which widens the appeal of u2f a little, at least for osx. Thereās a good writeup of the tradeoffs under Security Considerations.
Redditās databases got nicked bcuz their SMS based 2FA was intercepted by an IMFI catcher.
Just sayin.