-
praveen
hi can someone clarify about adding an SMS OTP 2FA auth for sign up https://github.com/monal-im/Monal/issues/565#issuecomment-2032017065
-
praveen
xep 0388 + fast tokens vs xep 0389, which one to choose
-
singpolyma
Is it just for signup or for log in?
-
singpolyma
For sign up it'll mean you can't use ibr anymore i suppose. In these cases I've been using a xep0060 with node of jabber:iq:register instead
-
praveen
sign up initially, it generates a random password for login
-
singpolyma
Right, so you *could* do fast only, or just random password as you say
-
singpolyma
The real trick is multi stage ibr replacement
-
praveen
isn't xep 0389 meant for this? any problems with it?
-
singpolyma
0389 doesn't seem to have a story about multi stage still AFAICT. So I'd probably stick with 0060
-
MattJ
0060? You mean 0077?
-
singpolyma
lol, no I mean 0050 off by one
-
MattJ
Ah right
-
MattJ
Pre-auth 0050?
-
singpolyma
yes. though multi stage also has problems with pre-auth generally if your connection dies before you complete the challenge
-
singpolyma
or https://xmpp.org/extensions/inbox/multistage-ibr.html but people *hated* that idea
-
singpolyma
in fact iirc the feedback to that xep was "just use 0050"
-
praveen
singpolyma, thanks, we will use xep 0050 - XEP-0050: Ad-Hoc Commands for this unless someone thinks xep 0389 can do it (at least Thilo thought it can fit).
-
singpolyma
You'll need to be careful about what happens if someone loses connection before completing the challenge
-
singpolyma
When they reconnect you won't know who they are unless you build a way
-
singpolyma
With Cheogram Android we've done a sort of hack where we give out severely limited JIDs to anyone but all they can do is 0050 against our onboarding. That way they can survive reconnects and we delete that temp jid when they're done. It's certainly not a flawless approach
-
praveen
But if this is a hacky approach, not every client supports, I wonder if this is very useful.
-
singpolyma
No client will support what you're proposing, sure
-
praveen
why is a sms or email verification for sign up still so non standard in xmpp though?
-
singpolyma
Because it hasn't been done yet 🙂
-
singpolyma
I'm glad you're working on this
-
praveen
but we will need at least some guidance to pick the right way
-
singpolyma
I wonder how quicksy does it
-
praveen
quicksy did a client side custom change
-
singpolyma
What protocol do they use for the registration though?
-
singpolyma
Doesbit start with ibr and transition to something else?✎ -
singpolyma
Does it start with ibr and transition to something else? ✏
-
praveen
client makes an http api call to quicksy server
-
singpolyma
So totally oob, no ibr or xmpp part of the flow
-
praveen
quicksy server verifies otp and creates account via ejabberd api
-
praveen
xep 0389 looks promising, if we can add missing bits to it
-
singpolyma
Pre auth 0050 is pretty sensible I think except for this question of what to do it the app disconnects part way through
-
singpolyma
0389 didn't look like supported multi strge to me?
-
singpolyma
But maybe it's just not clear
-
praveen
lets see if anyone else has an idea about xep 0389
-
singpolyma
Anything with multi stage in pre auth will need to solve this what if they disconnect question
-
singpolyma
With 0050 you could solve it by having client remember the session id and using that as your cookie for example
-
praveen
if other clients are open to implementing 0050 based flow, that works, at least Monal is interested in 0389
-
singpolyma
Sure, I'd be curious to see if 0389 can even do what you want, and how it solves the disconnect problem if so
-
praveen
I asked a follow up question to Thilo, lets see what they thinks
-
singpolyma
Thilo will have this disconnect problem 100% of the time so it's not an edge casebfor them
-
praveen
would fast token solve this issue?
-
praveen
https://xmpp.org/extensions/inbox/xep-fast.html
-
praveen
May be we need to modify that to replace temporary jid with temporary token that can only be used to complete sign up?
-
singpolyma
Fast is for auth after you already have an acciunt