[OWASP-Security101] 2FA for mobile apps

Brian Erdelyi brian.erdelyi at gmail.com
Tue Feb 16 15:59:29 UTC 2016

Good Day.

I’ve developed a website that supports two-step verification using OATH based OTPs.  The website generates a key and QR code that can be used with any OATH client (like Google’s authenticator)  I now have a mobile app (iOS) that uses a web API.

What are the best practices for enabling two-step verification with my mobile app when using the web API?  Do you know of any mobile applications that do a good job of implementing two-step verification?

I could prompt for the OTP in the mobile app (this is something Facebook and Dropbox’s mobile app does), however, this means switching between my app and the OATH software client (not very user friendly).  Or, should I be considering developing OATH support in my mobile app to generate the OTP and seamlessly pass this to the web API?

Once initially authenticated with a OTP, Facebook and Dropbox mobile apps no longer require OTP for future logins.  This would suggest there is a session key/token that would be stored by the mobile app and passed to the web service with each request.  Are there any existing guidelines how to best do this?

Thinking out loud… storing the OATH key in the keychain is straightforward (as is generating the OTP from the key and seamlesly passing it to the web API).  It is the workflow of registering the device/app on the website and getting the key to the app.  Perhaps, when OATH is enabled via the web browser, the user scans the QR code with the mobile app?  The mobile app could then do a login and use the OTP to complete setup and device/app is registered.  Thoughts?

Thanks in advance.


More information about the Security101 mailing list