Adding multifactor authentication
Our app allows users to log in by providing an email and a password. This means we allow them to authenticate with something they know (i.e., the password). We could also allow them to use other factors of authentication such as using their fingerprint (i.e., something they are), or a specific mobile device (i.e., something they have). Requiring a user to authenticate using multiple factors makes it much harder for an attacker to gain access to their account, however, it also makes it harder for the user to authenticate themselves. Therefore, it is best to allow users to opt into multifactor authentication.
Users are most familiar with using their phones as an additional factor, which we will implement using time-based one-time passcode (TOTP) tokens based on a shared secret. The shared secret, on the user’s phone, is an additional factor. It is also common to use SMS messages sent to the user’s phone; however, this method is increasingly...