Authentication needs to be more and more secure day by day. Well, that from a security point of view. From a user experience point of view remembering a password is not a requirement anymore. The application needs to be sufficient security while adapting to this new user requirement. There are multiple ways to achieve this in today’s world – SSO, 2FA, PasswordLess, Authentication link, and so on. I will try to create some content and “How To” for each of them.
This is about how to enable MFA for your application to make it more secure and have users log in with token once registered and authenticated. Guiding principles for such authentication:
- Users of the application are registered with secured password
- As part of registration – an MFA authentication is registered as well. There are lot of tools that provide token based authentication – Microsoft Authentication, Google Authenticator..
- Once the user sign in, for a limited period of time – the user can login with just the token on that device without providing password. This is ensured because the user is remembering the device from where the sign in happens.
Below I am describing a quick approach to enable this on an express app created on top of Node.JS platform. This article doesn’t detail on how to create an express app.
Libraries required
To be able to achieve this we require two packages from NPM. The two packages are speakeasy and qrcode. speakeasy – handles the token management part of it and qrcode manages the generation of QRCode for easy onboarding.
Registration
This enables a new user to register into the MFA by creating a new code based on a secret by generates a QR code that can be scanned by an authenticator app for faster onboarding. Once that is done, an entry is added to the authenticator app for this application. Post a user registration, the secret generating for the registration needs to be stored for future authentication purposes.
Login
Now post a successful login, the user can log in using the token to avoid entering any passwords for the account. This should however be controlled for a limited time and tied to a device to ensure maximum security.
Based on the login email, the secret is fetched and the token is verified to ensure that the user is authentic and MFA is ensured.
Conclusion
Security is not a requirement anymore – it’s a must. I am sure this article has given you some insights and motivation to at least tryout MFA for your next application.