Draft: Parse OTP
This draft describes the method and design of managing 2FA (2 factor auth) for user accounts.
The most common method for 2FA is TOTP, Time based One Time Password. When setup, the user is required to provide a one time password that changes overtime in order to be able to create a session.
TOTP is a standard available here many 3rd party libraries implement TOTP wrappers for node. The otplib module seems well supported, popular and very interesting.
- The user creates an account with email and password.
- The user opts-in for 2FA
- When opting in, parse server should generate all appropriate secrets and store them on the _User table or a specific private table.
- The Server transmits the public part of the OTP process to the user (QRCode, token etc...)
- The user confirms the OTP by entering one or two consecutive one time passwords
- The server verifies the user input
- The server enables 2FA for this account
- The server provides the recovery codes, should be readable / downloadable only ONCE (or for a short period of time). The server could provide an iframe, html page for those.
NB: before the tokens are verified 2FA is not enabled.
For logging in, there are multiple options but in order to keep it simple we recommend the logging procedure is kept to a single API call.
The original login API with 2FA should not return any valid response when the account is locked with 2FA.
The user provides all credentials in a single payload, with username, email, password and OTP/token/mfa. All are getting verified at once.
Once provided them all at once, the server would lookup the user in the _User table, and verify the token provided. If the user account requires 2FA and the token matching is invalid, then login is denied.
There is no need of creating temporary restricted sessions for inputing the 2FA factors.