Multiple factor authentication
We should implement MFA, with emails at first to validate the process.
Once this is done, let us create tickets for:
- SMS with python-smpp (once #150 is done)
- OTP (HOTP and TOTP) with otpauth
- webauthn, with pywebauthn
The state-of-the-art advises to only indicate the failure of one of the factor when all the factors have been filled, and not indicate which factor failed. This might not be needed as a first step, but should be configurable.
We should document the MFA, explain how different kinds of factors improve security.
Edited by Éloi Rivard