| Description |
{color:#404040}Two-Factor Authentication{color}{color:#404040} secures your user account by requiring a second component, in addition to your password, to access your account. That second step means your account stays secure even if your password is compromised. {color}This can be done by a varity of methods such as text message or {color:#404040}Time-based One-time Password Algorithm ({color} [TOTP|https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm] {color:#404040}), to ensure compatibility with mobile apps like [Authy|https://www.authy.com/personal/] or [Google Authenticator|https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en] .{color}
{color:#404040}This is a one-time validation per new device. Once a computer is validated you only need your password to log in. If you get a new computer or log in on a different computer you would need to got through the two-step verification again.{color}
{color:#404040}We should look into developer API's that we can use. One interesting option is {color} [https://www.twilio.com/] as it looks like they provide a REST API and their pricing seems reasonable. Since almost everyone has a mobile phone with text messaging, we should start with SMS first. Then if we need other methods of authentication we can look into them later.
{color:#1f497d}Here is an article on how to do implement 2FA and Google Authenticator.{color}
{color:#1f497d} [Add Two-Factor Authentication To Your Website with Google Authenticator and Twilio SMS|https://www.twilio.com/blog/2013/04/add-two-factor-authentication-to-your-website-with-google-authenticator-and-twilio-sms.html] {color}
*{color:#1f497d}TOTP{color}*
{color:#1f497d}A great pattern for implementing two-factor authentication is to use the TOTP (Time-based One-time Password Algorithm) standard for the second authentication step. What is so cool about TOTP is that it is flexible enough to allow users to generate their authentication tokens directly on their smart phones using a TOTP app like Google Authenticator or have their tokens sent to their mobile phone via SMS.{color}
{color:#1f497d} [Google Authenticator|https://support.google.com/accounts/answer/1066447?hl=en] {color}
|