Forum Academy Marketplace Showcase Pricing Features

Free Plugin | 2FA Google Authenticator API 🔐

Another fun one today. :slightly_smiling_face:

A great way to verify a user is real, by using the 2FA Google Authenticator app to verify codes.

Check it out:


Attempting to record my desktop and iphone at the same time didn’t go so well, so enjoy these split up haha.

Desktop:

iOS:


UPDATE 2.1.0 : QR Generation no longer requires opening in a new tab. This is now provided as a action call to display on page.

9 Likes

@lantzgould

… this is great! :grinning:

Thanks!

2 Likes

Agreed! This is awesome! Is there a way to implement SMS codes with this?

1 Like

Thank you both :slightly_smiling_face:

Re: SMS - No, the plugin doesn’t currently support SMS verify. Though, there are services like MessageBird that seem really affordable for 2FA SMS Verification. That particular service is cheaper than Twilio :man_shrugging:

If you see something that interests you let me know, I’ll take a look!

1 Like

Ah I see, I personally use Twilio and just do a manual system, but obviously a plugin would make it easier. Bubble’s 2FA doesn’t have SMS capabilities either which I was a bit shocked about tbh lol

1 Like

Gotcha. Yeah I agree it’d be nice if Bubble had this.

Out of curiosity, does Twilio have a verification sms? Or do you mean you send a unique code via sms?

Yes, I just send a unique code via SMS (not that safe, but it does the trick and haven’t had any major problems yet :grimacing:)

They do have Twilio Authy. I’ve never messed with it though :frowning:

1 Like

Nice! Looks interesting. I’ll have a play with it :nerd_face:

1 Like

I’d love to see it! :eyes:

UPDATE 2.1.0: QR Generation no longer requires opening in a new tab. This is now provided as a action call to display on page.

Check out the demo :slightly_smiling_face:

Awesome thanks for this

1 Like

Ok I see, I for one use Twilio and simply do a manual framework, yet clearly a module would make it simpler. Air pocket’s 2FA doesn’t have SMS abilities either which I was somewhat stunned about tbh haha

1 Like

@boxehiy625 I have one for Twilio Verify too if you’re interested :slightly_smiling_face:

Hi @lantzgould

Can you explain what code should be used in the plugin configuration?

Seems like you are using any random string or something. Right now I’m leaving these fields blank and looks like it’s working,

Hi @leonardo.cardoso,

This is used to validate the generated 2FA codes against the secret code used in your plugin settings. Basically so someone can’t bypass.

So I should input some random string with special chars to make it more secure? Did I get this right?

Correct :slight_smile:

1 Like

Hello @lantzgould,

Awesome plugin, thank you for building. Having tested and played with it for a while, with the hope of integrating it, i have one question:

Unless i’m missing something, shouldn’t the secret key be unique to each user?

Currently, i can take the following steps:

  1. Load your demo page
  2. Generate QR & Setup in google authenticate
  3. Enter authentication code & submit = success

All good so far.

  1. Open your demo app in an incognito window, generate qr
  2. Do not setup QR, just use the one setup previously, enter authentication code.
  3. Submit. = Success

I then replicated this in an app with real users. I logged in as “User A”, set up the QR code . Then logged in as “User B”, and tried to validate a code from “User A”, and it validated successfully. Because the secret key is the same for all users, therefore the current auth code is the same for all users, when it really should be different.

Currently, if you know someones password and you also have an account of your own, then you can access the other user’s account as your auth code is the same as theirs.

Is it possible to allow dynamic secret keys? It would then be up to the app builder to generate a unique key for each user, encyrpt and store it on the user object behind privacy rules and then have an api call use a backend workflow to decrypt the key when invoking the plugin actions.

1 Like

@andrew.illingworth91 Just pushed an update to allow for dynamic secret keys. Upgrade the plugin, refresh editor, then choose (multi tenant) in your workflow.

I haven’t tested the flow, so let me know how it goes.

@lantzgould

Amazing! Thanks man, I’ll let you know how I get on.

1 Like