Collaborate Disseminate
I’ve implemented two-factor authentication in my Foo app like so
User enters a username and password
If the username/password is valid, the user is shown a QR code and a field that allows a one-time password to be entered
If the user hasn… Continue reading How does 2FA improve security when using one-time passwords via a mobile app?
I’ve implemented two-factor authentication in my Foo app like so
User enters a username and password
If the username/password is valid, the user is shown a QR code and a field that allows a one-time password to be entered
If the user hasn… Continue reading How does 2FA improve security when using one-time passwords via a mobile app?
I would like to require users to add a TOTP device immediately after signup to my app. Generally the steps would be:
Create user with password and send a verification email with a token
User clicks the verify link with the token
Server ve… Continue reading What is the proper flow to add an MFA device to a new user?
I know that when enabling 2FA all sessions must expire.
But how about disabling 2FA? Should all sessions expire then?
I know that disabling 2FA is a risk, but that’s not the question. I’m wondering only about all active sessions – do they … Continue reading Should all sessions expire after disabling 2FA?
I’m trying to avoid Google device notification-based 2-factor auth ("push MFA"), which Google keeps enabling if I log into Google websites in a browser on an Android device (even if the device has no Google account at the OS leve… Continue reading Which Android browser can I use so that Google will not force push-MFA? [closed]
My bank’s online services, as a second factor, use a "memorable phrase". Upon login, I am prompted to enter three characters from that phrase, at specified indexes – say, 3rd, 7th, 10th character. Login is denied if this does not… Continue reading Securely storing a password for matching against its substrings
My bank’s online services, as a second factor, use a "memorable phrase". Upon login, I am prompted to enter three characters from that phrase, at specified indexes – say, 3rd, 7th, 10th character. Login is denied if this does not… Continue reading Securely storing a password for matching against its substrings
I’ve noticed that some websites implementing SMS-based MFA display a "reference code" on the website during login or transaction confirmation, and this code is also included in the SMS containing the OTP.
The user is instructed t… Continue reading Why does SMS-based MFA sometimes include a ref. code to match on the website + SMS?
I’ve noticed that many services don’t specify the purpose behind verification codes. For example when signing up to a service, we often want/need to verify that the email address or phone number is indeed ours. We might also need to verify… Continue reading Is it bad practice to state the purpose of a verification code?
GitHub recently reminded me to save backup codes to avoid losing access to my account. I wrote down my codes a few years ago and haven’t taken further action since. However, I’m now wondering: do backup codes ever expire? Should I occasion… Continue reading Can I rely on my backup codes to remain valid indefinitely?