MFA push / Authy API compatibility

[alexanderadam]

I'm not quite sure whether this is possible and whether the issue title explains properly what this is about. The general idea is to improve usability for 2FA.

So for 2FA there's usually a separate app and once users are prompted to type their second factor they might have to unlock their mobile phone, open the authenticator app, search the platform and then they can actually start to type or copy the code. The company Twilio created a smart solution for making this workflow easier: Authy. Authy's workflow goes as follows:

the application calls Authy when it wants 2FA assurance. Using Apple or Google, Authy sends a push notification to the user’s device, which improves the user’s experience by leading the user to the mobile app. This push notification does NOT contain the transaction details.

This workflow sounds great and clearly removes friction. But it relies on a proprietary uncontrollable service. Such as most push notification infrastructure besides ntfy. And this workflow obviously relies on push infrastructure anyway.

Therefore it would be nice to have a free solution to improve people's security.

Without knowing any details about Android development I would guess that it would need these things:

1. The server must have an integration possibility so that services and applications can actually provoke this. The best way would probably to mimic the Authy API, since other developers only would have to give the config option to change the API URL then.
2. ntfy Android app should have a possibility to open a particular entry from an MFA app (maybe it would be good to discuss that with the folks from FOSS OTP projects, such as Aegis or FreeOTP+). I'm not quite sure how video players declare that they are capable of opening videos or certain URLs. Maybe something similar would work here too (i.e. there's already a schema to create a new entry in an OTP app with otpauth://totp/some_email_provider).

I'm fully aware that this is a lot to ask but improving security and its usability for people believing in free software is a probably worth a try.

PS: Thank you so much for nfty :raised_hands:

[Curid]

You can use something like Authelia on your web server.

[alexanderadam]

You can use something like Authelia on your web server.

This issue is not about securing ntfy with an identity provider. It's about providing a Authy inspired/compatible API within ntfy and allowing to open an Android intent on OTP apps that will open a particular entry.

[Curid]

You want to use ntfy to proxy OTP requests from back-end services to OTP apps?

[alexanderadam]

I'm not quite sure what 'proxying' would mean in this context.

The way Authy works (and how I imagine this could work in a combination of ntfy and an OTP) is this:

1. You try to sign in with activated MFA on a platform (i.e. example.org)
2. The platform sends a notification to Authy (or maybe your ntfy instance in the future) that you need the OTP code for example.org (there are some libraries to communicate with an Authy API)
3. Your mobile device is getting the notification and when you tap on it, you'll see the entry for example.org in your favourite OTP app

Since ntfy already supports bringing push notifications from $somewhere via ntfy server to the ntfy Android client only two things are left to replace Authy with ntfy in this scenario:

1. an incoming API entrypoint for "show OTP entry of example.org" (platform maintainers could probably even use official libs if the API would be compatible to the Authy API)
2. a way for the ntfy Android to open your OTP on the mobile device for example.org (maybe by opening a scheme like this otprequest://example.org). OTP apps need to subscribe to these URLs (I also asked on andOTP whether this is possible)