Yep, it came up in my first 2FA topic.
I've carefully considered what might have happened there and in order to maximize the chance of theymos accepting the work this time, I'm taking a different approach than NLNico. My attempt will be a patch (not a package) which allows for tighter integration and won't get in the way of implementing whatever feedback theymos might have. It will also not introduce any additional dependencies (written from scratch, no third-party code). Finally, it won't require JavaScript, which is important to me (and I'm guessing a few others).
How are you going about the two factor authentication exactly? Via normal routes or a Bitcoin specific route with signing?
It'll be a basic implementation of RFC 6238 (TOTP: Time-Based One-Time Password Algorithm). Nothing exotic, just a simple 6-digit code entered at login for those users that have enabled it.
The implementation is flexible enough for theymos to configure the specifics (hash algorithm, time step, digit count, synchronization window). The default values are set to maximize compatibility, so all the ordinary 2FA applications will work (e.g. Google Authenticator, Authy, FreeOTP, KeePassXC, WinAuth, etc.)
I've been through as much 2FA content as I could find on the forum and I'm trying to make sure that my implementation won't upset anyone or introduce new problems. I'm also mindful that theymos is unlikely to accept a patch that involves too much additional code (and therefore, new attack surface) so I'm keeping the patch as small and easy to review as I can.
I'll get into all the details when I post about it. We probably shouldn't derail this thread with prolonged 2FA discussion.
