OAuth2, but requires multi-factor authentication (MFA)

Question

OAuth2, but requires multi-factor authentication (MFA)

I have an application with confidential PII (social security number, payroll information). I would like to allow users to log in with OAuth identifiers (Google, Linked In) for convenience, but in order for these accounts to enable multi-factor authentication in the identity provider, that is, they could not log in through OAuth2 if the user did not enable MFA to their basic identity provider account. This prevents me from exposing my sensitive information to GMail's weak passwords.

Is there any way to do this?

+5

authentication oauth-2.0 single-sign-on

Mike kelly May 17, '15 at 20:25

source share

2 answers

sk_ · Answer 1 · 2015-05-27T20:19:06+0000

Unfortunately not.
In the case of Google and Linkedin, the authentication level is not associated with a specific area. Oauth's answer does not indicate that the user used the OTP token or not.

Even if the user is registered in the MFA, the user can register the computer that he uses as a trusted one, in which case Google will never offer him OTP. This can prevent many users from accessing your application.

CoolAJ86 · Answer 2 · 2015-10-27T00:15:17+0000

In fact, I believe that you can check your own session / token to see if it was done through Google, Twitter, Facebook, etc., and then require MFA / 2FA / OTP when using this token for the first time. It makes sense?

You can start your own TOTP microservice using the Browser Authenticator , which has the components necessary for creating and verifying the key and token in the browser and Node Authenticator , which has an additional server code.

Just add your own storage mechanism and https call for microservice, update session / token and alt, you have added two-factor / multi-factor / one-time password authentication directly on top of them.

OAuth2, but requires multi-factor authentication (MFA)

More articles: