forum icon indicating copy to clipboard operation
forum copied to clipboard
verified publisher icon standardnotes

Allow TOTP as 2FA alternative if hardware security key can't be used

Open taivlam opened this issue 1 year ago • 1 comments

Describe the bug From a UX perspective, a user will be prevented from proceeding from logging into their account if they use hardware security keys to log into their accounts but (for whatever reason) cannot get Android to detect a valid hardware security key.

To Reproduce Steps to reproduce the behavior:

  1. Add at least 1 security key to your Standard Notes account from the web app.
  2. Sign into your Standard Notes app on Android.
  3. The hardware security key prompt screen appears.
  4. See error.

Expected behavior There should be a UX fallback option to TOTP authentication, in case the default 2FA method of hardware security keys cannot work for whatever reason.

Screenshots If applicable, add screenshots to help explain your problem.

Screenshot: pic1

Other than the "Cancel" button, the only action a user can perform here is press the "Authenticate" button. pic2

Smartphone:

  • Device: Pixel 5a (barbet)
  • OS: GrapheneOS/Android 14
  • App: F-Droid/Droid-ify
  • Version: 3.195.1

Additional context

  • This issue will be noticed by SN users who use security keys, especially if an Android user is on GrapheneOS with no sandboxed Google Play Services.
    • (From what I understand, Android with system-level Google Play Services can handle hardware security keys/passkeys.)
  • I use SoloKey 1 and SoloKey 2 devices as my hardware security keys.
  • I have the Professional plan for Standard Notes (which allows for hardware security keys as a 2FA method).

taivlam avatar Sep 13 '24 15:09 taivlam

In order to bypass this UX issue, I have to do the following:

  1. Remove all hardware security keys on my Standard Notes account via the web app.
  • (This is so that Standard Notes can only use TOTP as 2FA.)
  1. Sign into my Android device with TOTP.
  2. Add back all my security keys via the web app.

This is a bit cumbersome, as it is currently is.

taivlam avatar Sep 13 '24 15:09 taivlam

Having a similar issue with the Desktop app (version: 3.195.13). My current workaround is to use the recovery code to bypass the security key authentication which does not work properly with the desktop app. Will be great to have a fallback mechanism or let the user to choose the suitable 2FA based on client.

CongL415 avatar Nov 17 '24 23:11 CongL415

I think the problem comes from this line which hardcoded the U2F_IFRAME_ORIGIN variable.

Apparently my own web app is hosted on a different domain than the one hardcoded in the U2FPromptIframeContainer.tsx, the authentication will be failed.

I am wondering whether it is possible to allow self-host user to define U2F_IFRAME_ORIGIN by themself?

CongL415 avatar Nov 18 '24 20:11 CongL415

I'm having this issue on a new phone. I'm not able to login to standard notes as my phone doesn't have a hardware key.

I have a TOTP but no option to provide it. Could even use a PassKey but no option for it either.

Having to work offline :/

robertbeal avatar Apr 10 '25 11:04 robertbeal

I still had to use this ad hoc workaround (of logging into a web browser to remove all physical security keys; sign into my SN account on Android to finally be offered TOTP 2FA; and then add back all my security keys) to get my Standard Notes app properly synced again, after using a Seedvault backup when I upgraded to a new Android phone.

Below are the relevant details:

  • Device: Google Pixel 8a (akita)
  • OS: GrapheneOS/Android 14
  • App: F-Droid/Droid-ify
  • Version: 3.198.5

taivlam avatar Sep 05 '25 12:09 taivlam