idp.global/app
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1e563115d01106d5775f00a712bf3b7a39c9c3e3
app/stories/end-user/EU-004-two-factor-auth.md
T

1.1 KiB
Raw Blame History

Enable Two-Factor Authentication

ID: EU-004 Priority: High Status: Implemented

User Story

As an end user, I want to enable two-factor authentication on my account so that my account is protected even if my password is compromised.

Acceptance Criteria

  • User can enable 2FA from account settings
  • Support for TOTP apps (Google Authenticator, Authy, etc.)
  • Backup codes are generated and shown once during setup
  • User must verify 2FA code during setup to confirm it works
  • Login flow prompts for 2FA code when enabled
  • User can disable 2FA (requires current 2FA code)
  • Account recovery option if 2FA device is lost via one-time backup codes

Technical Notes

  • TOTP is implemented with otplib.
  • TOTP secrets are stored encrypted in dedicated credential records, not on the User model.
  • Backup codes are stored as hashes and consumed once.
  • WebAuthn passkeys are supported for passwordless login and MFA step-up.
  • SMS OTP remains registration-only and is not a default login factor.

Related TODOs

  • Consider adding explicit recovery admin workflows beyond backup codes.
Reference in New Issue View Git Blame Copy Permalink