securely bypass two factor authentication on mobile app

Question

I'm trying to implement two factor authentication via TOTP. I have webapp and mobile applications(ios and android). I want two factor auth flow only on webapp but not on mobile apps. How can I securely bypass two factor auth on only mobile apps ?

Update: I'm using common backend api for webapp and mobile apps. Need to implement two factor on web app. For mobile apps One factor(username, password) is fine.

Answer 1

Well! This is assuming that for the other factor, you use mobile phone. You would be asking for username, password. and then linking the phone number with the account. Then verifying that the user owns that phone number by sending a one-time-password.

There can be a smart way to do the same in the app without much user interaction.

1. Ask the user for email, password and phone number.
2. You send a verification code to the phone and you read and verify that verification code on your own. You would need to have 'read SMS' permission. If the user has correct verification code on the SMS that you have sent, then you can automatically verify that that the user owns the phone number. Else user does not own the phone number and something is fishy and he should be taken somewhere else.

Answer 2

Look to implement an analog of Application passwords google is using for such things

Answer 3

Having two authentication flows, one with 2FA and one without, is basically a vulnerability. Implement 2FA everywhere or don't bother.

Paypal has some bad experience with partial 2FA implementations. No reason for you to follow.