Add some more security features: 2FA/MFA with WebAuthn/FIDO2, TOTP, Hardware keys, passkeys!

[Haulien]

What

Additional security and login options.

• RFC 6238 TOTP - TOTP stands for Time-based One-Time Passwords and is a common form of two factor authentication (2FA). Unique numeric passwords are generated with a standardized algorithm that uses the current time as an input. The time-based passwords are available offline and provide user friendly, increased account security when used as a second factor. You have likely seen this in use if you've ever setup authentication apps like Google Authenticator, Authy or FreeOTP.

• WebAuthn - The Web Authentication API allows servers to register and authenticate users using public key cryptography instead of a password. It allows servers to integrate with the strong authenticators now built into devices, like Windows Hello or Apple’s Touch ID. Instead of a password, a private-public keypair (known as a credential) is created for a website. The private key is stored securely on the user’s device or on a hardware key (such as a Yubikey); a public key and randomly generated credential ID is sent to the server for storage. The server can then use that public key to prove the user’s identity. Ideally any implementation of this should allow for adding at least 2 hardware keys, ideally 5. Backups are good.

• Passkeys - Based on FIDO standards, passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are always strong and phishing-resistant.​. This is the future of a passwordless internet.

Why

In this day and age when everything is getting compromised, let's up the security a bit.

Two-factor authentication (2FA) is the foundational element of a zero trust security model. In order to protect sensitive data, you must verify that the users trying to access that data are who they say they are. 2FA is an effective way to protect against many security threats that target user passwords and accounts, such as phishing, brute-force attacks, credential exploitation and more.

How

Usual implementations of TOTP keys and hardware keys have the user prompted to authenticate once their username and password has been successfully entered. One could also have a 2FA box that is always on the login screen below a username/password (however it may confuse users who don't know what 2fa is)

Good example implementations of passkeys are Coinbase, GitHub, and even Roblox. They either have a dedicated "Sign in with passkey" button on the login page, or they auto prompt your browser. Passkeys should not require entering a username or password once enabled. There's an Apple Developer article here. Google have a lot of info on Passkey authentication on Android and web here. There's also the WebAuthn API

[Haulien]

#126 touches on basic 2FA via SMS/email codes. I don't think that's a valid solution however.