Multi-Factor Auth

Problem Statement

Add TOTP to Crafty to allow for added security benefit. Currently if a user password becomes compromised a bad actor could gain access to the account very easily as there is no second key required.

Who will benefit?

All users of Crafty, especially those with public facing instances.

Benefits and risks

What benefits does this bring?
    - Increased security for all accounts.

What risks might this introduce?
    - Added dependency that could will need to make sure it stays updated.
    - Could lock users out of account. Need to make sure there is some sort of robust, safe, secure recovery

Proposed solution

2FA Solution:

• Use pyotp to create/check 6-digit two factor authentication codes.
• Store one boolean totp enabled and one totp key in the users table.
• Once we have a successful login using user credentials if TOTP is enabled for the user we send an api response for additional authentication. The login window on that page is replaced with the TOTP form. Following a valid TOTP code we will redirect to either the dashboard or whichever page the user intended to go to.
• Add additional button on the panel_details page for users to "roll TOTP", which will, on the next successful credential login force the user to re-scan the barcode to get a new TOTP if they somehow lose their authenticator.
• Create backup codes that would be given to the user in the event they forget their TOTP. This would only be allowed if they have already input a successful username/password.

Examples

Priority/Severity

• High (This will bring a huge increase in performance/productivity/usability)
• Medium (This will bring a good increase in performance/productivity/usability)
• Low (anything else e.g., trivial, minor improvements)