Currently Multipass implements the second factor of 2FA, something you own. By Implementing the first factor something you know Multipass would support 2FA.
Multipass core goals (excerpt):
- Simpler authentication process for end users
- Improve security by omitting passwords; Password reuse is a problem as is social hacking
OTP User flow
Upon requesting a login URL a random OTP is generated, encrypted and embedded in the login URL which is then sent to the user. The user is redirected to the confirmation page where the OTP is shown once. At this point the OTP is discarded from the server.
When opening the login URL the user must input the OTP which was shown on the confirmation page. Upon submitting the OTP is verified with the encrypted OTP embedded in the login URL (token).
Requirements
- TLS is required when showing the user the OTP, as it could be intercepted on HTTP
- OTP must have a limited lifetime; 120s default
Currently Multipass implements the second factor of 2FA, something you own. By Implementing the first factor something you know Multipass would support 2FA.
Multipass core goals (excerpt):
OTP User flow
Upon requesting a login URL a random OTP is generated, encrypted and embedded in the login URL which is then sent to the user. The user is redirected to the confirmation page where the OTP is shown once. At this point the OTP is discarded from the server.
When opening the login URL the user must input the OTP which was shown on the confirmation page. Upon submitting the OTP is verified with the encrypted OTP embedded in the login URL (token).
Requirements