Hello,
I am wondering if the GoTrue Netlify roadmap includes support for 2-factor authentication with SMS? Are there any examples of using the webhooks and a service like Twilio to offer an ad hoc 2-factor authentication?
2 Likes
I don’t know of any planned work like that on GoTrue, Carl.
Could you expand a bit on your use case for us? Most folks request 2FA on netlify logins (to manage your site) vs identity logins (to access restricted pages by Role for your site visitors), so just checking to make sure of your end goal so we can either explain existing options for Netlify admin login, or instead suggest that you open a new feature request on gotrue in GitHub (in case you did really mean the Identity/gotrue path).
Hello,
The use case is an eCommerce page where we need to ensure that the phone numbers customers give us at signup actually correspond to their real phone number. In the way that GoTrue already requires users to authenticate their email during signup, I simply need a second authentication mechanism at signup to verify the phone number they provide is legit.
As I said there is probably a way to add this ad hoc using Twilio and Identity webhooks, but I was curious if this was something others had already implemented or considered.
Hey carl,
this isn’t directly relevant to your question re: GoTrue (there is no native way to do this with GoTrue yet, you’d have to tool your own still) but Netlify does now support 2FA on user accounts:
Just checking back in here, is two factor available yet for netlify identity?
Two factor is now required at some gov agencies, so if not I will not be able to use Netlify identity for any of these clients unless I create my own solution.
This seems very doable to implement, esp if we just focus on the case of email sign up. The jwt would expire after X days, then the user needs to both login and verify with a link or code sent to their email, just like a password reset. I can go into further use cases if need be.
Hey @reyemtm,
This is doable without you having to rely on Netlify implementing this feature. You canmake use of app_metadata and serverless functions to authenticate 2FA requests.