Add an event To TSphinxConfig so that a 2FA code can be emailed to the user.
There are a few problems with this:
-
Sphinx doesn't automatically generate 2fa code. It's you, the developer who does that by calling UserManager.ResetAuthenticatorKey. So no need for an event in this case.
-
Usually users have to confirm at least one authenticator code to enable 2fa. So receiving the secret would, ideally, still require that they input the authentication code to enable 2fa.
I think I didn't express it clearly enough.
When the form form for the validation code, the one where the code from a validator app is entered, it would be useful to have an event on the server that can be used so the developer can calculate and email the required code to the user.
Although the authenticator apps are the preferred method for retrieving a code some clients want a code sent by email or sms (I am still amazed that the banks use this method, but that's people for you).
Still currently it doesn't make much sense, as the validation code is by default valid for 30 seconds only.
We have a solution in one of our webbroker apps where the user can choose the method of receiving the code - App, Email, SMS and depending on what they have selected determines how long the code is valid for, so in this example EmailValidationTime is a constant
const
OTPValidationTime = 30;
SMSValidationTime = 400;
EmailValidationTime = 600;
lCode := TOTPGen.GenerateTOTP(lUser.MFAKey, EmailValidationTime);
class function TOTPGen.GenerateTOTP(const pBase32EncodedSecretKey:string; const TimeStepWindow:integer = 30; const pOutputLength:TOTPLength = TOTPLength.SixDigits):string;
begin
Result := GenerateHOTP(pBase32EncodedSecretKey, GetCurrentUnixTimestamp(TimeStepWindow), pOutputLength);
end;