Best practices for Two Factor Auth in 2021

Hi everyone!

For our latest project we would like to implement 2FA for our Devise user accounts that works like this:

1. The user opens example.com/login
2. The user enters his username + password
3. The credentials get validated, if they are correct an email containing a six-digit one time code is sent
4. The user enters the OTP code on the next page
5. If the code is correct, the user is logged in

After spending lots of time on research, we didn’t find a solution that feels ‘right’, especially with the constraints that we would like to continue using Devise if possible and the OTP code delivery method preferably being email.

Here are approaches that we considered:

• GitHub - tinfoil/devise-two-factor: Barebones two-factor authentication with Devise Looks like this gem is under active development, however it seems that there is no intermediate step and the user would have to enter his credentials + OTP code on the same page.

• GitHub - williamatodd/devise-2fa: Devise 2FA with Time Based OTP/rfc6238 tokens and encrypted secrets. Seems to be optimized for a use case where the user would use an external authenticator (like Google Authenticator or 1Password) instead of email.

• GitHub - Houdini/two_factor_authentication: Two factor authentication extension for Devise I tried to build an MVP using this Gem, but it doesn’t look like it is compatible with ruby 3.0.0 and rails 6.1, as I ran into lots of errors. Also there are 23 open pull requests and it seems no one is really maintaining the gem.

• GitHub - twilio/authy-devise: Authy Devise plugin to add Two-Factor Authentication I built a working prototype using Twilio Authy, however they use a phone number as primary identifier, so an email-only workflow is not supported.

• OmniAuth: Overview · heartcombo/devise Wiki · GitHub We could offer login with Google / Facebook / GitHub etc. via Devise Omniauth and outsource the actual login process, however we would prefer to not have to use OAuth.

• Implementing OTP two-factor authentication as a second login step with Rails and Devise - James Ridgway Seems to be lots of custom code for something that we think should be quite a common use case.

• https://auth0.com/ We are even considering outsourcing the user accounts completely to a 3rd party service like Auth0. However, while it would solve the initial issue we don’t like the dependency on a 3rd party provider and it seems that certain user management related tasks in the future will actually become more complicated with such an approach.

So all in all, none of the approaches really matches what we are looking for. Therefore I would love to hear if you have already implemented 2FA in your Rails apps, which approach you chose and what your experiences were.

Looking forward to your feedback!

Marius

We are looking for the exact same thing.

What did you do finally?

Hi Marco,

in the end we decided to go with Auth0 because we

• a) couldn’t find a Ruby / Rails solution that ‘just works’ out of the box
• b) didn’t want to spend development resources to build a system ourselves

I recomend GitHub - lazaronixon/authentication-zero: An authentication system generator for Rails applications.

Thanks! That looks indeed like a promising project (while still being started only quite recently).

It seems promising, but I don’t like the generator approach. It would be better to have a gem like Devise, without too many files in your application. Otherwise upgrading and staying up-to-date with security patches can become a real pain!

@collimarco Agreed. My preferred solution would behave more like a complete blackbox, e.g. a service (like for instance Sidekiq) that I’d run locally which would expose a couple routes that handle everything related to authorization but that I wouldn’t need to maintain too much.

Auth0 solves this partially, however it creates new issues (mainly slowness and missing encapsulation) because you cannot run it locally.