Comments (3)
jace
commented on September 3, 2024
References:
https://www.tbray.org/ongoing/When/201x/2013/06/24/Two-Factor
https://code.google.com/p/google-authenticator/wiki/KeyUriFormat
http://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm
from lastuser.
jace
commented on September 3, 2024
Fido U2F (Universal 2nd Factor) is a new standard that uses a hardware key and support from the browser itself (currently Chrome 38+) to ensure the OTP is site-specific and so can't be collected by a phishing site. Google, GitHub and Dropbox already support this standard. Lastuser should too.
Fido specs: https://fidoalliance.org/specifications/download/
Fido videos: https://fidoalliance.org/adoption/videos/
GitHub announcement: https://github.com/blog/2071-github-supports-universal-2nd-factor-authentication
from lastuser.
jace
commented on September 3, 2024
Authy provides a wrapper API for 2FA that covers most of our requirements. If the user has the Authy app installed, they get a code within the app instead of an SMS.
As Authy's API runs on Twilio, there's an important factor with delivering to Indian numbers: by default Twilio sends promotional SMSes, which won't deliver to DND numbers. Switching to transactional requires explicit approval via customer support. Twilio's billing may also be considerably more than Exotel (to be verified).
If the user has the Authy app installed, the app acts as a proxy for the phone, but can also be installed and logged into the same account from other devices. This means the phone number has not actually been verified. This impacts the verified_at column defined in #178.
from lastuser.
Related Issues (20)
- Allow client credentials in place of auth tokens for GraphQL endpoint
- Need unique index on lowercase of UserEmail.email HOT 2
- Disambiguate authorship from ownership HOT 1
- Backend service worker reorganisation
- Inferred vs explicit principals HOT 2
- Email addresses are case sensitive HOT 2
- Deprecate .html jinja templates
- Locked status for UserEmail and UserPhone HOT 2
- Support the Credential Management API
- No verification email for custom domain mailboxes HOT 1
- Merging users should be a reversible transaction
- Endpoint to remove external IDs HOT 1
- Remove Organization and Team models from Lastuser HOT 3
- Use bcrypt/scrypt for client credentials
- Support native app URIs
- Replace oauth2client with google-auth
- Replace load_models with ModelView HOT 2
- Use secure cookies HOT 1
- Use secure Lastuser cookie
- Support multiple redirect URIs HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lastuser.