OAth 2FA current standards for Web login security

I have some new Web projects in the works and need to consider the most current login methods in use today. I’d prefer not to create a Twilio 2FA scheme from scratch if I don’t need to. In fact, if there’s an easy-to-implement “off the shelf” security model that I could leverage then I get to spend more hours working on the main app. Thanks for any feedback :+1:t2:

You might consider GitHub - thommcgrath/AuthenticationKit: Provides "Security Through Obesity" password storage and TOTP to Xojo projects.. It does the easy-to-get wrong stuff for you, but it’s not a simple drop in solution. You’ll need to build some classes to interact with your database, but there are examples and documentation.


If a plugin is something you would want for it then e-CryptItEngine does 2FA

Thom/Björn- thanks for the input, I’ll continue searching and also looking at your suggestions. I’ll append this ticket with anything amazingly useful (if I find it). Thx!

Maybe try my sample code, I don’t use any plugins, just Xojo code.
VDS - HOTP for Desktop

VDS - HOTP For Web

Just a be aware that HOTP is better used for backup codes, and TOTP is much more commonly used for the day-to-day verification. HOTP saves you from having to actually store the backup codes, as you can use the same secret and simply generate codes 0-9 to show the user and for verification. If a backup code is used, you turn off 2FA, forcing the user to set it up again, getting a new secret, and start over.

You could achieve the same effect with TOTP by using hard-coded timestamps for the backup codes, but I wouldn’t recommend that.