On 2024/01/11 14:48, Mark Janssen via members-discuss wrote:
On Thu, 2024-01-11 at 14:35 +0100, Mike B wrote:
My rational for this is that some organisations do not allow phones within the office, nor have any Apps available to install on their systems. Perhaps a more generic scenario is if a phone is out of battery. I'm sure you can appreciate while I am in favour of MFA I think this must be in a different format.
TOTP can be done without phones or phone apps... it just needs the shared secret and a HMAC fucntion, this can be done via various password-managers, simple python-scripts, your Ti-81 calculator or any number of other methods.
I would advise against any form of e-mail 2fa, as this really reduces it to a single-factor (with password-resets via email).
BTW, TOTP is supported by a recent Yubi key, so you can use it as a hardware token as well. But +1 for FIDO2 implementation, is a very popular standard with many implementations on the market. And it should be easy to implement on the backend/frondent side, implementation is very straightforward with many examples all-around. -- Oleksij Samorukov