Two-Factor Authentication Login (m.login.2fa.totp flow)

[cyphar]

At the moment, there isn't a standard (or non-standard) way for a user to have TOTP-style two-factor authentication on their account. This means that users are only protected by their passphrase (which could be weak) and makes them susceptible to keyloggers as well as rogue apps being able to re-authenticate even after the user decides to forcefully kill the device. The vast majority of web services these days support 2FA in the form of RFC 6238 TOTP Tokens.

Because login flows are designed to allow multiple stages, adding support for 2FA should only require:

• Define a m.login.2fa.totp flow which takes an RFC 6238 TOTP Token using a pre-configured seed.
• Define POST /_matrix/client/r0/account/two-factor/totp (or similar) for setting up the pre-configured seed.

We also need a recovery code system:

• Define m.login.2fa.recovery as a fallback recovery-code system (these recovery codes would be re-generated each time you reconfigured 2FA).
• Define POST /_matrix/client/r0/account/two-factor/recovery to allow manual re-generation of the recovery codes. Old recovery codes are invalidated.

I use the term "2FA" here, but really Matrix supports multi-factor authentication so you could see future extensions that would allow a server to require both a TOTP token and some other token to log in.

[turt2live]

This looks like a great foundation for a proposal - is it possible to get it written up in PR form as per https://matrix.org/docs/spec/proposals ?

[cyphar]

Yup, I was going to take a crack at it. 😉

[cyphar]

#1998.