Overview
The app currently relies solely on wallet signature for authentication. Adding optional TOTP-based two-factor authentication (2FA) will provide an extra layer of security for users who store significant value in their streams.
Problem
If a user's private key is compromised, there is no secondary barrier to unauthorized access. High-value users and institutional participants expect 2FA as a baseline security feature.
Proposed Solution
- Implement TOTP (RFC 6238) compatible with Google Authenticator, Authy, and 1Password
- Add a "Security" section in user settings with an enable/disable 2FA flow
- On enable: generate a secret, display QR code, require the user to confirm with a valid OTP before activation
- On login: after wallet signature, prompt for OTP if 2FA is enabled
- Provide recovery codes (8 single-use codes) shown once during setup and regeneratable from settings
- Store only the hashed secret server-side; never log or expose it
Acceptance Criteria
Overview
The app currently relies solely on wallet signature for authentication. Adding optional TOTP-based two-factor authentication (2FA) will provide an extra layer of security for users who store significant value in their streams.
Problem
If a user's private key is compromised, there is no secondary barrier to unauthorized access. High-value users and institutional participants expect 2FA as a baseline security feature.
Proposed Solution
Acceptance Criteria