2FA (Two Factor Authentication) - recommendations?

Has anyone here implemented 2FA in their Xojo App?

Which service did you use for it?

Could you share your experiences?

Pull whatever you need from https://github.com/thommcgrath/AuthenticationKit, maybe convert from the “new” framework to the classic framework. It has everything you need for TOTP 2FA, which is better than any service.

@Thom McGrath That looks interesting, but I can’t figure out from the docs how a user actually uses the 2FA. Wouldn’t he need some extra program or device that generates the TOTP codes? I have no clue how/where to get those.

The way TOTP 2FA works is both parties know a secret and use it to generate a time-sensitive code, and compare. The user would do this using Google Authenticator, 1Password, or similar. This is much better than something like using SMS, as that is vulnerable to a phone number attack.

But 1Pw, Google Authenticator (GA) etc. all use their own algorithm, right (and/or different key lengths)? Apparently, recent GA versions are not open source any more, so how do I figure out what they use? Or does the TOTP protocol pass all that information along, so that it’s kinda auto-config behavior? (If that were the case, would that mean that any website that asks me to use GA could also work with 1Pw instead?)

TOTP is an industry standard algorithm. Which app that does secret storage and code generation doesn’t really matter, they follow the same standard.

Everything needed is packed into a url, and that url gets encoded into a QR that can be scanned by another device.

And yes, any app that says you can use GA, you can use 1P instead.

Awesome. Thanks for explaining this all.