We have only one factor for authentication for the Traackr App? Why not two!

How Far Did We Get?

Customer can go to their “security” page (formerly just the “change password” page) and see a section for setting up 2FA. When it is enabled, a QR code is displayed; the customer scans this code into Google Authenticator (or similar app). On subsequent logins, they will be prompted to enter the 2FA token before they are logged into the site. If they should disable 2FA and turn it back on, the same secret is used; they will not need to re-scan the QR code.

Adding in 2FA was straightforward, but to accommodate the flow, refactoring of our login / session code was necessary. That took up a good chunk of the day spent working on this.

What’s Next?

  • Add recovery codes to the process to allow customers to recover their 2FA connection should they lose the data on their app.
  • Determine if re-using the secret on disable / re-enable is best practice or if new secret should be generated each time.