Multi-factor authentication about gotrue HOT 19 CLOSED

Hello ! I'm using Supabase since some months and I love it !

I'm dealing with crypto and exchanges API on my website, so naturally some of my users asked for a 2FA and by searching how to do it I found this issue, so I'm here to confirmed the need of a 2FA for supabase sign in ✅

I thought about doing my own TOTP system but it cannot be secure enough since Supabase will always give the accessToken with a proper email and a password given to it.
If there is a leak of password for one of my user, a guy can always use supabase.signIn directly into the console of my website and have the acessToken, so a custom TOTP asking process will always be not secure enough, it needs to be implemented by supabase directly to be 100% secure.

That's all, thank you for the great work 👋

from gotrue.

Hey everyone, @J0 is working on this feature in gotrue and you guys can check out the gotrue/mfa_v1 branch for the implementation details. We have also opened up an early-sign up list if you are using Supabase and looking to try out MFA in a project.

from gotrue.

We're working on it! Out of curiosity, which aspect of MFA are you hoping to integrate(e.g. TOTP authenticator, SMS, email)?

Can't say much but there'll be updates on the feature before our next launch so keep your eyes peeled for then... 👀

from gotrue.

I hope for TOTP authenticator, because that more independent so that more secure and doesn't need to waiting message to be received.

from gotrue.

any ETA? :D

from gotrue.

Hey team,

Going to close this issue since TOTP MFA has landed in prod. If anyone has issues please feel free to reach out.

Thanks!

from gotrue.

Any plans to support WebAuthm?

from gotrue.

I'm moving this to our GoTrue fork - let's see if we can do this during Hacktoberfest 🚢

from gotrue.

Tracking this with the Netlify team - we will see if we can add this and merge it into their server.

We're in the process of catching up our UI to GoTrue's full API potential, so this will likely be a task for next month's release.

from gotrue.

Just came here from the blog post and wanted to voice my support specifically for TOTP and especially WebAuthn.

A long term stretch of being able to fire off a push notification would be awesome too, but I don't think it's as easy or reasonable to implement.

Okta has a pretty nice breakdown of the various MFA security options available today: https://help.okta.com/en-us/Content/Topics/Security/mfa/about-mfa.htm

from gotrue.

hi @tomekit, it's on the roadmap but we don't have a timeline for this yet as we are prioritising other features such as webhooks / anonymous logins over U2F right now

from gotrue.

I love supabase too, the only reason i`m not using it for my current project is because the lack of MFA. Any ETA?

from gotrue.

When your users use a Social Provider (e.g. Login with Google) to access your services via Supabase, shouldn't MFA work (on the Social Provider side), if the Social Provider supports it? E.g. when we talk about Google as Social Provider, you'd enable MFA in the Cloud Console (https://cloud.google.com/identity-platform/docs/web/mfa)

from gotrue.

@RichiCoder1 We've noted your feedback -- the table in the link you've provided gives quite a nice comparison so thanks for that!

from gotrue.

Hey @steffenstolze yup you are right, if you have MFA enabled on the Social Provider and you are logging in with your social provider then you will have to use MFA.

However, this wouldn't cover all cases(e.g. email/password) which may be needed for compliance purposes or general security reasons

from gotrue.

@J0 Absolutely! A complete solution that covers all use cases would be the best, of course 👌🏻

from gotrue.

Is the 2FA feature ready yet? I am building a system that needs 2FA and was wondering if the GoTrue API has this feature or should I use something else like ORY/Kratos?

from gotrue.

For Webauthn MFA and Passkey support please follow #92

from gotrue.

Since initial feature request mentioned U2F, just a question, is it going to be implemented?

from gotrue.