0

I'm implementing TOTP in my application to allow users to use two factor authentication with Google authenticator and the like.

However I've also implemented "social login" using OAuth, should the users be prompted for their TOTP codes when logging in with those OAuth accounts as well? (Given that users might already be using 2FA on that service the login experience could become cumbersome)

Jacco
  • 7,402
  • 4
  • 32
  • 53
NanoBob
  • 1
  • 2

2 Answers2

0

Depends what you want to achieve. When using "social login" you are delegating user security responsibility to a third party (well, in a way to your user as in most of these authentication sources 2FA is optional). If you want your service access to be MFA protected, then you should not be even allowing OAuth

Emin
  • 121
  • 2
  • Could you please elaborate why I should not be allowing OAuth for login and offer multi factor authentication to the users? – NanoBob Feb 08 '19 at 14:07
  • Ok, here is my point of view. You want MFA, so you want strong security. You want social login, so you want user comfort. You cannot be sure if your user logging in using Facebook has the account protected with MFA - there is no API to check it. So you cannot allow only social login. You can add MFA after Oauth takes place and ask for TOTP. But imagine your user already hase the Facebook account with MFA enabled. In this case, the user will have to provide 3 set of credentials: facebook password, facebook OTP and OTP of your system - this is not very user-friendly. – Emin Feb 09 '19 at 17:19
  • I understand your point, however I'm looking at it from the user's point of view, it would be in the user's best interest to have the option to use TOTP if they so desire. So what I think I am going to do, is have a user setting of whether or not they want to use two factor when logging in with OAuth. – NanoBob Feb 10 '19 at 22:15
  • @NanoBob , just an addendum, seems like with Google you can check whether 2FA is enabled : https://developers.google.com/admin-sdk/reports/v1/reference/usage-ref-appendix-a/users-accounts – Emin Feb 11 '19 at 11:29
0

It's a good idea to offer MFA even with SSO via OAuth (or any other method). Security-conscious users will enable it, the rest won't. If your goal is to protect users from themselves by mandating MFA before accessing your app's highly-sensitive accounts, I can't recommend allowing SSO with third-party services at all. If your goal is get users to use MFA somewhere, either in your app or the SSO provider... well, you can't enforce that except by requiring MFA locally (which might be obnoxious to users who now have to perform MFA multiple times, but does improve security for users who don't protect their SSO account) but you can strongly encourage it (perhaps by making it opt-out rather than opt-in, with the opt-out button saying "my OAuth account uses MFA already" and not offering opt-out at all to people who use non-OAuth accounts).

CBHacking
  • 40,303
  • 3
  • 74
  • 98