1.1 KiB
1.1 KiB
Enable Two-Factor Authentication
ID: EU-004 Priority: High Status: Implemented
User Story
As an end user, I want to enable two-factor authentication on my account so that my account is protected even if my password is compromised.
Acceptance Criteria
- User can enable 2FA from account settings
- Support for TOTP apps (Google Authenticator, Authy, etc.)
- Backup codes are generated and shown once during setup
- User must verify 2FA code during setup to confirm it works
- Login flow prompts for 2FA code when enabled
- User can disable 2FA (requires current 2FA code)
- Account recovery option if 2FA device is lost via one-time backup codes
Technical Notes
- TOTP is implemented with
otplib. - TOTP secrets are stored encrypted in dedicated credential records, not on the User model.
- Backup codes are stored as hashes and consumed once.
- WebAuthn passkeys are supported for passwordless login and MFA step-up.
- SMS OTP remains registration-only and is not a default login factor.
Related TODOs
- Consider adding explicit recovery admin workflows beyond backup codes.