2FA authentication

[zero77]

Can you please add 2FA to provide additional security before being able to login.

Google already provide a 2FA module that can be integrated with protocols like SSH and OpenVPN.
https://github.com/google/google-authenticator-libpam

[jesec]

PAM module is not a probable way for this project to integrate with a 2FA service. It is not the ideal solution for a JavaScript program, and it is not a "plug-and-play" thing. It might be possible to integrate it with your web server (such as nginx), which can handle authentications for a Flood server. --auth=none can be used to avoid duplicate authentication.

The idea is great, but unfortunately it would be too much of a maintenance burden to directly add 2FA functions to this project as that would likely involve an email service or a SMS over IP service. It would not be feasible to use a third party API, either. Services don't come free, and third party APIs would certainly require some kinds of verifications and tokens (to prevent abuses, otherwise malicious users may send thousands of messages to anyone's phone, which may lead to severe penalties for service providers), which, as an open source project, can't provide to users. It would also be generally troublesome to let users provide necessary tokens themselves.

TOTP might be easier to implement than "push" 2FAs. However, it is considerably harder to use. Some UX logics also have to be figured out before it can be implemented. I would certainly take a look when I have time.

In my opinion, the most practical and useful way to implement MFA is to add OAuth (Google, Facebook, Github, etc.) login options. OAuth login options also decrease the potential data protection liabilities of Flood.

Either way, breaking API revisions would likely be required. As a result, the feature can not be implemented before the development cycle of next major release, 5.0. Additionally, it would be essential to design an authentication flow that works for API users as well.

[zero77]

Thanks for your response, yes email or sim verification would be more work and infrastructure and its less secure.
I was thinking of an authenticator app as its more secure and should be easier to implement.
https://www.twilio.com/blog/authy-api-and-google-authenticator

[Kiina]

I would love to see openid/oauth implemented.