Best practices for Two Factor Auth in 2021

Hi everyone!

For our latest project we would like to implement 2FA for our Devise user accounts that works like this:

  1. The user opens example.com/login
  2. The user enters his username + password
  3. The credentials get validated, if they are correct an email containing a six-digit one time code is sent
  4. The user enters the OTP code on the next page
  5. If the code is correct, the user is logged in

After spending lots of time on research, we didn’t find a solution that feels ‘right’, especially with the constraints that we would like to continue using Devise if possible and the OTP code delivery method preferably being email.

Here are approaches that we considered:

So all in all, none of the approaches really matches what we are looking for. Therefore I would love to hear if you have already implemented 2FA in your Rails apps, which approach you chose and what your experiences were.

Looking forward to your feedback!

Marius

1 Like