Is it possible to check if authenticator app is linked to laravel?
JonathanPort opened this issue ยท 6 comments
Not an issue, just wondering if it's possible to check if the app is linked to laravel or not?
The way I have my app setup, the user can turn 2fa on and off through account settings, however, I want a way of guaranteeing they have actually scanned and linked the auth app before clicking enable. The problem is that if the user clicks next without actually linking to the app, they will be locked out. I've put information in and warning popups to make the user aware but yeah, would be fantastic to have a way to enforce it.
In an ideal world I'd love the functionality to work in a similar to how Whatsapp desktop works where you scan the QR on your phone and the desktop app detects when it's scanned and automatically logs you in without having to click any conform buttons and what not. I have an idea on how to do this but it all relies on having some kind of method along the lines of checkAuthenticationAppIsLinked.
Thanks in advance! Tried googling this but couldn't get any insight on it, was hoping you guys would know more. I also appreciate I could be missing something fundamental so apologies if you've covered this before, I'm still learning about all this 2fa stuff.
Many thanks,
Jon
guaranteeing they have actually scanned and linked the auth app before clicking enable
You can always only enable the flag to activate 2FA for a user after the provided at least the OTP once.
Apps like 1Password specifically work that way:
- you scan the QR code with the app
- the current OTP is immediately pasted into the clipboard for the user
The ideal workflow for enabling it is:
- User clicks on enable 2FA
- Site show the QRCode and ask the user to read it with the App (Google Authenticator or whatever)
- Site asks the user to type the current code
- If the code is ok, the previously disabled save buttons is now enabled
- User clicks on save, and now the account is secured.
This way you know people will not risk locking their accounts, and you don't really need the Authenticator app to do this for you.
I've seen some apps asking the user to type two sequential codes, type one, wait for the next one, type it on a second input.
Ahh okay I see, that will actually work for me, thanks so much for the replies!
Just to follow up with my question, I don't fully understand the behind the scenes of the authenticator but I guess by the nature of it, it's not possible to "ping" or "call" the authenticator app? There's no way to call a google api with the google2fa_secret to verify it's registered to a provided email? Sorry to ask here but I'm finding it quite difficult to google.
I don't fully understand the behind the scenes of the authenticator but I guess by the nature of it, it's not possible to "ping" or "call" the authenticator app? There's no way to call a google api with the google2fa_secret to verify it's registered to a provided email?
No, the authenticator apps works by virtue of these things:
- agreed on the algorithm to use
- accurate time
- shared private secret
the QR code is the secret you're sharing with your authenticator and your application
Okay, kinda thought so. Thanks very much for the help then, appreciate it ๐