For our latest project we would like to implement 2FA for our Devise user accounts that works like this:
- The user opens example.com/login
- The user enters his username + password
- The credentials get validated, if they are correct an email containing a six-digit one time code is sent
- The user enters the OTP code on the next page
- If the code is correct, the user is logged in
After spending lots of time on research, we didn’t find a solution that feels ‘right’, especially with the constraints that we would like to continue using Devise if possible and the OTP code delivery method preferably being email.
Here are approaches that we considered:
GitHub - tinfoil/devise-two-factor: Barebones two-factor authentication with Devise Looks like this gem is under active development, however it seems that there is no intermediate step and the user would have to enter his credentials + OTP code on the same page.
GitHub - williamatodd/devise-2fa: Devise 2FA with Time Based OTP/rfc6238 tokens and encrypted secrets. Seems to be optimized for a use case where the user would use an external authenticator (like Google Authenticator or 1Password) instead of email.
GitHub - Houdini/two_factor_authentication: Two factor authentication extension for Devise I tried to build an MVP using this Gem, but it doesn’t look like it is compatible with ruby 3.0.0 and rails 6.1, as I ran into lots of errors. Also there are 23 open pull requests and it seems no one is really maintaining the gem.
GitHub - twilio/authy-devise: Authy Devise plugin to add Two-Factor Authentication I built a working prototype using Twilio Authy, however they use a phone number as primary identifier, so an email-only workflow is not supported.
OmniAuth: Overview · heartcombo/devise Wiki · GitHub We could offer login with Google / Facebook / GitHub etc. via Devise Omniauth and outsource the actual login process, however we would prefer to not have to use OAuth.
Implementing OTP two-factor authentication as a second login step with Rails and Devise - James Ridgway Seems to be lots of custom code for something that we think should be quite a common use case.
https://auth0.com/ We are even considering outsourcing the user accounts completely to a 3rd party service like Auth0. However, while it would solve the initial issue we don’t like the dependency on a 3rd party provider and it seems that certain user management related tasks in the future will actually become more complicated with such an approach.
So all in all, none of the approaches really matches what we are looking for. Therefore I would love to hear if you have already implemented 2FA in your Rails apps, which approach you chose and what your experiences were.
Looking forward to your feedback!