feat: using MFA code without QRCODE

[rdhox]

I was trying to integrate the MFA to a project and I realised that the code is only readable via a QRCode scan with an application.
Is there a reason why we can not just have the MFA code, send it by email or sms and using the endpoint to check it?

Looking at the source code it would not be hard to make it an option. Is there a possibility for a PR?

Thanks!

[dbarrosop]

Hello @rdhox,
thanks for your request. Not sure I understand though, you mean when adding a new MFA method? AFAICT the totpsecret is being sent back alongside with the URL with the QR image:

https://github.com/nhost/hasura-auth/blob/main/src/routes/mfa/totp-generate.ts#L45
https://docs.nhost.io/reference/auth/get-mfa-totp-generate

Or do you mean something else?

Regards

[rdhox]

Thanks for your response!
My understanding, but I could be totally wrong, is that the user have to scan the QRCode to get the code and the developer can not get the code to send it to the user by email or any other means. I would like in my project to have the MFA per default without the user to activate it and when the user signin with his email/password, he receives by email his mfa code, without passing by a QRCode to scan.
Is this possible?

When I use /mfa/totp/generate, can I from the totpsecret get the code?

Thanks!

[dbarrosop]

When I use /mfa/totp/generate, can I from the totpsecret get the code?

Yes, you can check the links I shared before where you can see the totpsecret in the response. If something else is missing let us know.

I would like in my project to have the MFA per default without the user to activate it and when the user signin with his email/password, he receives by email his mfa code, without passing by a QRCode to scan

You should be able to implement that, never seen that workflow before but you should be able to implement it in your application.

[rdhox]

Thanks!
There is something that I missing in the MFA workflow so!
Here my understanding and where I'm stucked:

1. I signin my user with email/password
2. I used /mfa/totp/generate and I get the url of the QRcode image, and the totpsecret.
3. I want here to have the 6 numbers code to send it to the user (via a special email service => constraint of the project). how I can have this code from the totpsecret?
4. The user enter the code, now I want to use the /signin/mfa/totp endpoint to successfully sign the user. I need the ticket to do so, and i don't have it.

When I activate the MFA for the user following this, the response of the email/password endpoint is:

{
  session: null,
  mfa: { ticket: string}
}

Since the session is null, I can not proceed with the /mfa/totp/generate endpoint.

I think there is obviously something that I missing here, any clarifications are welcome!

Thanks!

[dbarrosop]

I think you are mistaking things:

• /mfa/totp/generate - This endpoint is to add a new MFA. You need the totpsecret (or the QR image) to configure your authenticator (i.e. google authenticator, 1password, bitwarden, etc). The codes will then be generated by the authenticator

You can't send the codes via email because these codes change every 60s so by the time the user sees the email and enters the code it might have expired already.

I think you might be mistaking totps (which is an MFA function) with one time passwords: https://docs.nhost.io/guides/auth/sign-in-otp