public-roadmap Introduce Multi-factor Authentication

To increase security accounts that aren't using SSO, we can offer users the ability to setup multi-factor authentication on their accounts.

Given the current registration requirements, accounts have all been confirmed with a valid email address and phone number; these can be used as methods to challenge the user with the single use passcodes.

We can also offer time-based one-time passwords (TOTP) that users can setup with their preferred authenticator app.

I would suggest allowing users to setup any combination of the MFA options and to set one of them as the primary challenge, but allowing them to fallback to one of the other methods already setup in the event that the primary method is unavailable to them.

Challenge Methods

Email: send an OTP to the user's email
SMS: send an OTP to the user's phone number
TOTP: user provides our TOTP from their preferred authenticator app

Challenge Types

The following is a list of some of the more common challenge types that could be implemented, with "Login," "Password Change," and "Account Deletion" being the types that would be "always on" for accounts with MFA enabled:

Login: challenge them on login
API Key Invalidation: challenge when invalidating an API key
Team Adjustments: when managing a team, challenge the user when adding/removing users
- For the best user experience, a single successful challenge should last for a short amount of time before challenging them again for team adjustments, e.g. you may complete N team adjustments from a single challenge within 5 minutes of the challenge (or last team adjustment action if wanting to extend it automatically) before being challenged again
Password Change: challenge them on password change
Account Deletion: challenge them during the account deletion process