2025-11-30 15:01:28 +00:00
|
|
|
# Enable Two-Factor Authentication
|
|
|
|
|
|
|
|
|
|
**ID:** EU-004
|
|
|
|
|
**Priority:** High
|
2026-05-19 06:20:38 +00:00
|
|
|
**Status:** Implemented
|
2025-11-30 15:01:28 +00:00
|
|
|
|
|
|
|
|
## User Story
|
|
|
|
|
As an end user, I want to enable two-factor authentication on my account so that my account is protected even if my password is compromised.
|
|
|
|
|
|
|
|
|
|
## Acceptance Criteria
|
2026-05-19 06:20:38 +00:00
|
|
|
- [x] User can enable 2FA from account settings
|
|
|
|
|
- [x] Support for TOTP apps (Google Authenticator, Authy, etc.)
|
|
|
|
|
- [x] Backup codes are generated and shown once during setup
|
|
|
|
|
- [x] User must verify 2FA code during setup to confirm it works
|
|
|
|
|
- [x] Login flow prompts for 2FA code when enabled
|
|
|
|
|
- [x] User can disable 2FA (requires current 2FA code)
|
|
|
|
|
- [x] Account recovery option if 2FA device is lost via one-time backup codes
|
2025-11-30 15:01:28 +00:00
|
|
|
|
|
|
|
|
## Technical Notes
|
2026-05-19 06:20:38 +00:00
|
|
|
- TOTP is implemented with `otplib`.
|
|
|
|
|
- TOTP secrets are stored encrypted in dedicated credential records, not on the User model.
|
|
|
|
|
- Backup codes are stored as hashes and consumed once.
|
|
|
|
|
- WebAuthn passkeys are supported for passwordless login and MFA step-up.
|
|
|
|
|
- SMS OTP remains registration-only and is not a default login factor.
|
2025-11-30 15:01:28 +00:00
|
|
|
|
|
|
|
|
## Related TODOs
|
2026-05-19 06:20:38 +00:00
|
|
|
- Consider adding explicit recovery admin workflows beyond backup codes.
|
