Implementing Two Factor Authentication Using Devise

Question

I am trying to Implement Two Factor Authentication on Devise Using a Gem devise-two-factor. I want the Authentication to be in 2 Steps for that First I am going to ask for a Username and Password. if the User passes this step then he will be redirected to the Next page of OTP if 2FA is Activated else the Session will be verified by Devise.

If the User has opted for 2FA then I want to use the Devise to do all the Authentication and don't want to use the sign_in(user) function to create a session if the user.validate_and_consume_otp(CURRENT_OTP) is true. I want to Pass Username Password and OTP to Devise as Params So that Devise will handle the Authentication of all three params without my intervention.

For doing so I have come up with some workflows:-

1. If username and Password are Valid and Correct I will Pass these as Post Params and Have Username and Password as hidden fields along With OTP that the User will Fill After the Submit, These three params will be sent to Devise for Validation.

2. I first verify the Username and whether that exists in user's table or no, If it exists I will check for the Valid Password using the Devise default function user.valid_password?("YOUR_PASSWORD_COMES_HERE") if both these conditions are true I will be Passing the email of User as Session Variable to the Next step and In the second Step I only verify for Correct OTP (as username & password validation is done in step 1) if OTP is correct we create Session for the User with the Email passed as Session variable and Delete Session after successful login, else we will again ask for OTP.

Can you suggest any Better Work Flow?

Answer 1

If you want a 2FA in two steps you can try to use the gem https://github.com/Houdini/two_factor_authentication.

The default workflow of this gem is this:

1. Insert username and password
2. If username and password are correct notifies the otp to user
3. Insert otp
4. If otp is correct, the login is right