As an additional 2FA option, implement support for U2F. Some details at http://mail-archives.apache.org/mod_mbox/allura-dev/201608.mbox/%3C28c7a399-86c5-5d75-dde4-2ab54fe7b3e4%40brondsema.net%3E
Some sites (e.g gitlab) require you to set up regular TOTP before adding a U2F hardware key. Maybe because U2F isn't supported too broadly, so you need regular TOTP to log into non-Chrome browsers or shell services. Bitbucket requires ssh keys first too.
Many sites let you name your U2F devices, since you can add multiple. They may also record the date it was added.
I've pushed some work in progress to db/8119 which is a good start and working well, but for various reasons I'm not going to keep working on this right now. One reason is that U2F is still forward looking, and since the common best practice is to require TOTP (since not all browsers and non-browser connections support U2F) so that means adding U2F on top of TOTP doesn't really add any true security benefit, TOTP & recovery codes are the weakest link.
Log in to post a comment.