Implement 2FA During Login

[bennpham]

Description

I think it'd be nice to have 2FA after logging in on https://www.if-me.org/users/sign_in. Maybe we can have a modal popup for users to input that 2FA security code when they login normally via email or password.

This should not applied to sign in with google or facebook since those sites should have their own 2FA implementation if enabled.

A few gems we could check out that seems the most up to date for 2FA would be https://github.com/Houdini/two_factor_authentication or https://github.com/tinfoil/devise-two-factor so it'd be best to evaluate what would be the best 2FA gem to use before implementing.

Note

There will be new gems to implement with this PR so it is best to pick the best suited most up to date 2FA gem.

---

Please assign yourself (via the Assignees dropdown), if you do want to work on this issue. Can't find yourself? You need to join our organization.

Check out our Picking Up Issues guide if you haven't already!

[bennpham]

Peeking through Tinfoil's Devise Two Factor, I think that gem's is kind of dying and deprecated. I remember attempting to implement this as a Spike story at work and ran into problems, so I think Tinfoil's Devise Two Factor might be a bit out of the question :/ devise-two-factor/devise-two-factor#170

I had my eyes on Houdini's two factor authentication which is related to Tinfoil's but more maintained at time. Activity been a bit low on there as well: Houdini/two_factor_authentication#193. Maybe someone might step in to take ownership of the project.

---

Two factor wise, I've yet to find a reliable 2FA package right off the box for Rails. I've found something working with Laravel though. Luckily I did ran into a blog that implemented 2FA on rails app written 5 months ago: https://oozou.com/blog/otp-2fa-in-ruby-on-rails-with-rotp-42

RTOP gem seems like the simplest to use gem although I suppose I'm curious how to get it with Devise (which Houdini's and Tinfoil's 2FA were made to be implemented with Devise).

Do note to encrypt otp_secret when going with this implementation mentioned in additional notes. Also to make sure that users aren't logged in and bypass the OTP part. I think some extra work in the Session Controller would need to be done on this part. I might grab this and give it a go if I get around to it and am not busy unless someone wants it first.

---

I think this list would be suitable for OTP:

• Encrypt otp_secret
• Make sure that users don't get logged into until they actually enter the correct OTP
• Adds ability to enable OTP in user settings
• Show OTP after/during login when OTP is enabled for users who signed up via email

[sebassebas1313]

I would like to take this one. It's seems a nice way to start my contribution.

[bennpham]

@sebassebas1313 Go ahead and assign yourself if no one is assigned to it here! Also you can join the slack channel for IFME.

[sebassebas1313]

Sadly, This issue goes beyond the scope I was thinking. So, I am going to leave open to someone with more time. Thank you for your help anyways @julianguyen

[akp2603]

Hi @faithngetich! Did you pick this up?

[faithngetich]

No @akp2603 I'll remove myself from the issue.

[adang48]

Could I give this a try? @julianguyen