Clearance and 2FA (or MFA)

Question

I'm using Clearance for authentication on my Rails app. More and more of my users ask me to implement some kind of 2 Factor Authentication. I am thinking that when signed in, users could opt-in to use 2FA instead of logging with e-mail and password.

What kind of 2FA would you recommend I be using? My users are mostly companies using the app for their team work. They would like to have

There are so many choices that I am a bit lost. For the sake of simplicity I am currently looking at Google Authenticator. Is that a good choice? What about other options, like sending a magic link to their e-mail address to authenticate them by clicking on it (which has the benefit of refusing authentication if the user has left the organization and doesn't have access to that mailbox anymore).

What would it take to make this kind of authentication work with Clearance that I am currently using for authentication?

Answer 1

Firstly, I would not recommend allowing users to login with a 2FA code alone. It is the second factor after all; most of the time it will contain less entropy than a user's password.

I would recommend using Time-based One Time Passwords (TOTP) with Google Authenticator as the client's token management app. It is easy to integrate into Rails with the Active Model OTP Gem.

Sending one time codes via email or SMS is not the best method. SMS' are steal-able via phone number spoofing and email codes break 2fa if an attacker has control of a user's email address, which can also perform password resets making it a one stop shop for account takeovers.

If you want to use the true state of the art then take a look at U2F which relies on cryptographic signatures.

When integrating with Clearance be sure to validate the 2FA token only after you validate their username and password, especially of you are using TOTP.