Hi I searched and did not see a a discussion specific to 2FA. I am working on a client portal to service multiple clients and would like the client users to be forced to use 2FA either by email or auth app like authy/etc. It appeared auth0 may offer this on a fairly expensive plan, are there any other options for achieving this? Any examples to follow?
Thanks in advance!
Hey, basically anything made on the WeWeb’s side of the things can be bypassed, some things easier, some harder. So If you’re okay with having it not 100% enforced/secure, you could go with WeWeb logic side of things, otherwise you need to implement a custom backend logic, via Auth0 or I think Supabase could do this too 
Thank you for the insight!
I will try out Supabase and see if I can make it work.
If anyone has an example of a working flow on the WeWeb’s side for utilizing these back-end providers in the challenge/validate calls (and requiring these prior to page requiring back-end access to avoid access denied), I would appreciate any advice as to save time!
You can implement TFA with any of the major back-end players (Supabase, Xano, etc) I can think of.
In the general form: you have login page, which on “success” from the backend, sends an email or a text with a code, and returns a session ticket to the front end. (Or it doesn’t if you’re using something like Authenticator) The front-end takes you to a second, TFA page. That second page needs the code that was emailed/texted/whatevered. The second page validates the code along with the ticket, and gets back an auth token which weweb stores for future transactions.
This flow looks a lot like the forgot password flow.
Authentication/authorization is one of the hardest 5% problems we work on in State Change Pro loom-enabled forums and daily office hours.
Thank you very much, that is helpful design concepts and thank you for the referenced help resources, I will definitely pursue if I get stuck to get some expert help.
I know theres a ton of use cases and even Oauth options that would be fine without needing a solution to have PWA 2FA, but to me it seems like it is table stakes for a web app to have, so I want to make sure I can get it implemented before sinking a ton of time into other aspects.
Appreciate all the help, thanks!
Yes, and that’s not a WeWeb thing, it’s a frontend thing!
Here’s the replay of a live stream we did on the topic of building secure apps wit no-code tools.
You’ll see examples of API calls from WeWeb to Xano and how to secure them.
Exactly, sorry for the poor wording, the front-end side of the things. Anything in the front end is exposed, so yeah
Ah no worries! No need to apologize! Really appreciate all your contributions on here
Just saw it as a good opportunity to drive that point home because a lot of no-coders (including myself before I joined WeWeb!) don’t realize that security is a backend thing, whether you’re typing code or programming visually.
Hi there,
I am having issues implement the 2FA flow I want. My preferred flow is as follows.
General idea
A logged in user can enable or disable 2fa on their profile page (this works fine). When the user enabled 2fa (TOTP using an authenticator app), on next login, they should login with username/password and then execute the 2FA challenge. My goald is to only authenticate the user (generate the JWT Accesstoken), only when the full login flow that is applicable is completed. So there are two options:
2FA Disabled: User logs in with username and password, authToken provided, User is logged in in the Weweb App.
2FA Enabled: User logs in with user name and password, executes the 2FA challenge, authToken is provided, user is logged in in the Weweb app.
The issue is in the Xano auth plugin. I can only configure it once, and I can map it to only one login endpoint, that normally takes username/password, but when 2fA enabled It takes only the code (and in my case a token for the TOTP (linked to the user) to be able to fetch the TOTP secret.
Having said this, I am thinking about best approaches to follow, couple of I can think of.
Single page login/2FA
Implement Login and 2FA on a single page, conditionally show,based on the expanded login endpoint at Xano side, with some logic about the flow to follow.
Xano Auth plugin: Signup
Using the Singup config of the Xano auth plugin, to map to the 2FA challenge Endpoint.
Using Xano extra’s to add second layer of authorization in Authtoken
Provide the JWT access token and authenticate the user after login with username/password, but add extra’s to the JWT token like: otp_pending=true / otp_pending=false. I can expose that status in the auth/me endpoint, but in this case I need to add a "check access workflow to each page that is behind the login. Slight advantage is that I can make the 2FA challenge page, an authenticated page, accessible when otp_pending = true.
Looking forward to some insights in the best approach to follow.
Hi @FHEXL ,
The following worked fine for me: