Meteor-feature-requests: Core package for TOTP-based 2FA

Created on 8 Jun 2017  路  3Comments  路  Source: meteor/meteor-feature-requests

With the proliferation of common password lists like this and near weekly large-scale breaches, 2-factor authentication (2FA) is easily recognized as a security best practice. We've been doing 2FA with Meteor for a while at Legal Robot but we also think the wider community would benefit from such an effort in Meteor core.

I think the key question is: why do a core package and not community package? We can certainly try this out as a community package. However, with something as important as security, the infrastructure and responsiveness of the Meteor core team could make sense.

Accounts (in user apps) ProjectPassword ProjectUI

Most helpful comment

Last month, we implemented both TOTP and U2F based 2FA at Legal Robot in a new local package called accounts-2fa that will let anyone using accounts-password enable TOTP and/or U2F based 2FA by merely adding a package, changing their Meteor settings, and adding a new login form for account recovery.

While we currently use Blaze at Legal Robot, we built this thinking that folks using React would also want to use it, so I think the only incremental UI dependency is sweetalert2.

We also put out a special challenge to the community of hackers we work with in our HackerOne Bug Bounty program to find issues with our 2FA implementation. They did not disappoint and we have almost resolved all of the 42 submitted issues (some duplicates).

Features, so far:

  • [x] Basic TOTP support (QR code)
  • [x] TOTP manual entry
  • [x] Email on TOTP enable
  • [x] Email on TOTP disable
  • [ ] Handcrafted TOTP clipart
  • [x] TOTP Issuer support
  • [x] Basic U2F support
  • [x] Fallback U2F -> TOTP -> Recover
  • [x] U2F unsupported browser check
  • [x] Email on U2F enable
  • [x] Email on U2F disable
  • [ ] Support >1 U2F key (see TODO for npm u2f)
  • [x] Handcrafted U2F clipart
  • [x] Basic Recovery support
  • [x] Recovery keys bcrypt'ed (14 rounds, configurable)
  • [x] Configure Recovery key length
  • [x] Configure Recovery key count
  • [x] Email on Recovery key use
  • [x] Email-in-the-loop Recovery
  • [x] Configurable expiration for Recovery email
  • [ ] Configurable path for Recovery
  • [ ] Handcrafted Recovery clipart
  • [x] Disable individual 2FA emails with setting
  • [ ] Internationalization support
  • [ ] Any testing, whatsoever
  • [x] Minimal documentation
  • [ ] Complete documentation

Feel free to try it live on Legal Robot:

  1. Register an account
  2. Confirm your email
  3. Go to the account page and turn on TOTP or U2F based 2FA

All 3 comments

Why not FIDO U2F instead?

I agree that FIDO U2F would be great - I use that myself whenever possible - but the barrier to adoption for U2F is still somewhat higher than TOTP since an authenticator app is far easier to procure than a hardware key (and certainly easier to set up!). Perhaps we could add a core package for FIDO U2F as well, but TOTP-based 2FA seems like a logical first step.

Last month, we implemented both TOTP and U2F based 2FA at Legal Robot in a new local package called accounts-2fa that will let anyone using accounts-password enable TOTP and/or U2F based 2FA by merely adding a package, changing their Meteor settings, and adding a new login form for account recovery.

While we currently use Blaze at Legal Robot, we built this thinking that folks using React would also want to use it, so I think the only incremental UI dependency is sweetalert2.

We also put out a special challenge to the community of hackers we work with in our HackerOne Bug Bounty program to find issues with our 2FA implementation. They did not disappoint and we have almost resolved all of the 42 submitted issues (some duplicates).

Features, so far:

  • [x] Basic TOTP support (QR code)
  • [x] TOTP manual entry
  • [x] Email on TOTP enable
  • [x] Email on TOTP disable
  • [ ] Handcrafted TOTP clipart
  • [x] TOTP Issuer support
  • [x] Basic U2F support
  • [x] Fallback U2F -> TOTP -> Recover
  • [x] U2F unsupported browser check
  • [x] Email on U2F enable
  • [x] Email on U2F disable
  • [ ] Support >1 U2F key (see TODO for npm u2f)
  • [x] Handcrafted U2F clipart
  • [x] Basic Recovery support
  • [x] Recovery keys bcrypt'ed (14 rounds, configurable)
  • [x] Configure Recovery key length
  • [x] Configure Recovery key count
  • [x] Email on Recovery key use
  • [x] Email-in-the-loop Recovery
  • [x] Configurable expiration for Recovery email
  • [ ] Configurable path for Recovery
  • [ ] Handcrafted Recovery clipart
  • [x] Disable individual 2FA emails with setting
  • [ ] Internationalization support
  • [ ] Any testing, whatsoever
  • [x] Minimal documentation
  • [ ] Complete documentation

Feel free to try it live on Legal Robot:

  1. Register an account
  2. Confirm your email
  3. Go to the account page and turn on TOTP or U2F based 2FA
Was this page helpful?
0 / 5 - 0 ratings