Skip to content

[WIP] MSC2271 TOTP 2FA login #2271

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: old_master
Choose a base branch
from
Draft

[WIP] MSC2271 TOTP 2FA login #2271

wants to merge 3 commits into from

Conversation

ara4n
Copy link
Member

@ara4n ara4n commented Aug 31, 2019

High level proposal for TOTP 2FA auth from @hawkowl

Rendered

@ara4n ara4n added the proposal A matrix spec change proposal label Aug 31, 2019
@ptman
Copy link
Contributor

ptman commented Sep 30, 2019

Excellent. But a separate proposal for U2F/WebAuthn?

ptman
ptman reviewed Sep 30, 2019
View reviewed changes
proposals/2271-totp-2fa.md
Returns: `{"totp_key": "keyhere", "backup_keys": ["a", "b", "c"]}`

`DELETE /_matrix/client/r0/user/{user_id}/totp`
Remove TOTP from the account. Require password as a parameter (?)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Password and TOTP, I think.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other services I've seen allow you to remove 2FA tokens without having to auth the 2FA (only requiring password for confirmation). Of course you do need to be logged in already.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I've had the opposite experience, but can't name a service off-hand

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this endpoint should just require user interactive auth, like other security sensitive endpoints do. The server could then decide, if you need to provide the password, password+totp token, password+totp recovery key, or any other combination, just like the usual flows.

@turt2live turt2live added the kind:core MSC which is critical to the protocol's success label Apr 20, 2020
@turt2live turt2live marked this pull request as draft April 8, 2021 23:36
@turt2live turt2live added the needs-implementation This MSC does not have a qualifying implementation for the SCT to review. The MSC cannot enter FCP. label Jun 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ptman ptman ptman left review comments

@auscompgeek auscompgeek auscompgeek left review comments

@deepbluev7 deepbluev7 deepbluev7 left review comments

Assignees
No one assigned
Labels
kind:core MSC which is critical to the protocol's success needs-implementation This MSC does not have a qualifying implementation for the SCT to review. The MSC cannot enter FCP. proposal A matrix spec change proposal
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ara4n @ptman @auscompgeek @deepbluev7 @turt2live