Skip to content

Implement two-factor authentication (2FA) for account security #204

Description

@Chuks-coderr

Overview

The app currently relies solely on wallet signature for authentication. Adding optional TOTP-based two-factor authentication (2FA) will provide an extra layer of security for users who store significant value in their streams.

Problem

If a user's private key is compromised, there is no secondary barrier to unauthorized access. High-value users and institutional participants expect 2FA as a baseline security feature.

Proposed Solution

  • Implement TOTP (RFC 6238) compatible with Google Authenticator, Authy, and 1Password
  • Add a "Security" section in user settings with an enable/disable 2FA flow
  • On enable: generate a secret, display QR code, require the user to confirm with a valid OTP before activation
  • On login: after wallet signature, prompt for OTP if 2FA is enabled
  • Provide recovery codes (8 single-use codes) shown once during setup and regeneratable from settings
  • Store only the hashed secret server-side; never log or expose it

Acceptance Criteria

  • TOTP codes from standard authenticator apps are accepted
  • Invalid or expired codes are rejected with a clear error
  • Recovery codes work as fallback and are invalidated after use
  • 2FA can be disabled only after providing a valid OTP or recovery code
  • Security audit checklist completed for the TOTP implementation
  • Tests cover: setup flow, valid code, invalid code, recovery code, replay prevention

Metadata

Metadata

Assignees

No one assigned

    Labels

    complexity: highComplex feature, refactor, or new integrationenhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions