Hi I searched and did not see a a discussion specific to 2FA. I am working on a client portal to service multiple clients and would like the client users to be forced to use 2FA either by email or auth app like authy/etc. It appeared auth0 may offer this on a fairly expensive plan, are there any other options for achieving this? Any examples to follow?
Hey, basically anything made on the WeWeb’s side of the things can be bypassed, some things easier, some harder. So If you’re okay with having it not 100% enforced/secure, you could go with WeWeb logic side of things, otherwise you need to implement a custom backend logic, via Auth0 or I think Supabase could do this too
I will try out Supabase and see if I can make it work.
If anyone has an example of a working flow on the WeWeb’s side for utilizing these back-end providers in the challenge/validate calls (and requiring these prior to page requiring back-end access to avoid access denied), I would appreciate any advice as to save time!
You can implement TFA with any of the major back-end players (Supabase, Xano, etc) I can think of.
In the general form: you have login page, which on “success” from the backend, sends an email or a text with a code, and returns a session ticket to the front end. (Or it doesn’t if you’re using something like Authenticator) The front-end takes you to a second, TFA page. That second page needs the code that was emailed/texted/whatevered. The second page validates the code along with the ticket, and gets back an auth token which weweb stores for future transactions.
This flow looks a lot like the forgot password flow.
Thank you very much, that is helpful design concepts and thank you for the referenced help resources, I will definitely pursue if I get stuck to get some expert help.
I know theres a ton of use cases and even Oauth options that would be fine without needing a solution to have PWA 2FA, but to me it seems like it is table stakes for a web app to have, so I want to make sure I can get it implemented before sinking a ton of time into other aspects.
Ah no worries! No need to apologize! Really appreciate all your contributions on here
Just saw it as a good opportunity to drive that point home because a lot of no-coders (including myself before I joined WeWeb!) don’t realize that security is a backend thing, whether you’re typing code or programming visually.