Email-based two-factor module
Summary
Create a new 2F module that generates a random code, and sends it to the e-mail registered in the userDB.
Design proposal
I have a working prototype that does the following
In run
:
- Generate a random code (with String::Random for now)
- Store it in the token-based temporary session
- Look up a configurable session key to find the user's email address
- Send the OTP code over the already configured SMTP transport (or sendmail), using ::Portal::Lib::SMTP
- Optionally use an HTML template for the email, much like password reset does
- Display the
ext2fcheck
template to the user
In verify
:
- Compare the 2F random code stored in session with the one the user POSTed
All the building blocks needed to make this are pretty much already there. If you think this is a good idea I could have a PR ready in a few days.
UI
Thoughts
What should happen if a user doesn't have an email address in the user DB. Could some kind of self-registration process be used? Should 2F be skipped in that case, or return an error?
Is perl's rand
(used by String::Random) a good enough source of entropy for this particular use case? If a user has a working account on the system, they might generate some token for themselves, and theoretically could be able to guess the tokens for other users.