With the proliferation of common password lists like this and near weekly large-scale breaches, 2-factor authentication (2FA) is easily recognized as a security best practice. We've been doing 2FA with Meteor for a while at Legal Robot but we also think the wider community would benefit from such an effort in Meteor core.
I think the key question is: why do a core package and not community package? We can certainly try this out as a community package. However, with something as important as security, the infrastructure and responsiveness of the Meteor core team could make sense.
Why not FIDO U2F instead?
I agree that FIDO U2F would be great - I use that myself whenever possible - but the barrier to adoption for U2F is still somewhat higher than TOTP since an authenticator app is far easier to procure than a hardware key (and certainly easier to set up!). Perhaps we could add a core package for FIDO U2F as well, but TOTP-based 2FA seems like a logical first step.
Last month, we implemented both TOTP and U2F based 2FA at Legal Robot in a new local package called accounts-2fa that will let anyone using accounts-password enable TOTP and/or U2F based 2FA by merely adding a package, changing their Meteor settings, and adding a new login form for account recovery.
While we currently use Blaze at Legal Robot, we built this thinking that folks using React would also want to use it, so I think the only incremental UI dependency is sweetalert2.
We also put out a special challenge to the community of hackers we work with in our HackerOne Bug Bounty program to find issues with our 2FA implementation. They did not disappoint and we have almost resolved all of the 42 submitted issues (some duplicates).
Features, so far:
Feel free to try it live on Legal Robot:
Most helpful comment
Last month, we implemented both TOTP and U2F based 2FA at Legal Robot in a new local package called
accounts-2fathat will let anyone usingaccounts-passwordenable TOTP and/or U2F based 2FA by merely adding a package, changing their Meteor settings, and adding a new login form for account recovery.While we currently use Blaze at Legal Robot, we built this thinking that folks using React would also want to use it, so I think the only incremental UI dependency is
sweetalert2.We also put out a special challenge to the community of hackers we work with in our HackerOne Bug Bounty program to find issues with our 2FA implementation. They did not disappoint and we have almost resolved all of the 42 submitted issues (some duplicates).
Features, so far:
Feel free to try it live on Legal Robot: