Skip to content
/ phoenix-2fa Public

A sample phoenix application with WebAuthN, TOTP and "Backup Recovery Codes" registration and authentication implemented.

phoenix-2fa.fly.dev
4 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

guessthepw/phoenix-2fa

BranchesTags

Repository files navigation

Phoenix2FA

demo.mp4

Phoenix2FA is a simple two-factor authentication (2FA) system built on top of the Phoenix-generated Auth System, and meant to serve as an example. It has support for registration and authentication for three different key types:

  • :totp - Time-based One-time Password (Google Authenticator, QR Code etc)
    • Uses NimbleTOTP for TOTP (Time-based One-Time Password)
  • :u2f - Universal 2nd Factor , physical device
  • :recovery - List of x digits given to user, one time use, used as last resort

I used the commands:

  • mix phx.new phoenix_2fa
  • mix phx.gen.auth Accounts User users
  • mix phx.gen.html Accounts UserKey user_keys cred_id:string label:string last_used:utc_datetime mfa_key:binary kind:enum:u2f:totp:recovery user_id:references:users
  • Then made additional changes.

Built With

  • Postgres - ~ 15.2
  • erlang - ~ 26.0.1
  • Elixir - ~ 1.14.5-otp-26
  • Phoenix - ~ 1.7.3
  • Phoenix LiveView - ~ 0.19.1
  • NodeJS - ~ 19.3.0

TODO

  • Switch to LiveViews
  • Additional tests / docs
  • PRS Welcome

Database changes

We need an additional table to track the three different kinds of user keys we have.

classDiagram
direction LR
users "1" --> "*" user_keys
class user_keys {
   string : cred_id
   string : label
   utc_datetime : last_used
   binary : mfa_key
   enum : kind (u2f, totp, recovery)
   fk : user_id
   utc_datetime : inserted_at
   utc_datetime : updated_at
   int : id
}
class users {
   string : email
   string : hashed_password
   utc_datetime : confirmed_at
   utc_datetime : inserted_at
   utc_datetime : updated_at
   int : id
}

Setup

  • Run mix setup to install and setup dependencies
  • Start Phoenix endpoint with mix phx.server or inside IEx with iex -S mix phx.server

Now you can visit localhost:4000 from your browser.

Further Resources

Security considerations (taken from Wax)

Make sure to understand the implications of not using attested credentials before accepting none or self attestation types, or disabling it for packed and u2f formats by disabling it with the verify_trust_root option

About

A sample phoenix application with WebAuthN, TOTP and "Backup Recovery Codes" registration and authentication implemented.

phoenix-2fa.fly.dev

Topics

security elixir phoenix-liveview

Resources

Readme
Activity

Stars

4 stars

Watchers

1 watching

Forks

0 forks
Report repository

Sponsor this project

 
Learn more about GitHub Sponsors

Languages