Add multi-factor authentication option #45
Description
Which feature are you enhancing?
Account security through additional authentication factors
Why is this required?
Even with strong passwords, single-factor authentication remains vulnerable to various attack vectors. Multi-factor authentication adds a critical second layer of security, significantly reducing the risk of unauthorized access even if passwords are compromised.
Any additional context?
Implementation Steps:
-
Extend user model and database schema:
- Add MFA-related fields to User model in Prisma schema
- Create tables for storing TOTP secrets and recovery codes
- Add MFA status and preferences to user profile
-
Implement TOTP authentication:
- Integrate a TOTP library (like
otplib) - Create secure secret generation and storage
- Implement QR code generation for app setup
- Add verification endpoints for TOTP codes
- Integrate a TOTP library (like
-
Add email-based verification as fallback:
- Create email templates for verification codes
- Implement secure code generation and expiration
- Add rate limiting for email verification attempts
- Create verification endpoints for email codes
-
Generate and manage recovery codes:
- Implement secure recovery code generation
- Store hashed recovery codes in the database
- Create UI for viewing and regenerating codes
- Add recovery code verification flow
-
Create user interfaces:
- Build MFA setup wizard with clear instructions
- Add MFA toggle in user settings
- Create verification screens for login attempts
- Implement device remembering functionality
-
Update authentication flow:
- Modify login process to check for MFA requirement
- Create step-up authentication for sensitive actions
- Add session handling for MFA-verified sessions
- Implement remember-device functionality