This is a initial proposal on having a two factor authentication layer on JS applications.
- JavaScript has differente usage for OTP in relation to native apps, it tends to be tricky
- QRCode is useless because we don't have access to native resources like camera.
- We have to assume that our users will switch between pages (OTP page x Login page)
- We can borrow ideas from the iOS workflow and adapt it to JS
- For most of the scenarios, I'm assuming session storage to keep secrets.
- To implement some workflows more dependencies must to be added like: SHA or BASE32 support
- Provide a page to support 30-second TOTP codes
- Make use of PIN/challenge
- Make use of captchas (meh)
- Make use of TOTP as a password-based key derivation, behind the scenes. (password + OTP)