Add Optional Two-Factor Authentication (2FA) for User Accounts

[dcollie2]

To improve account security, we should add optional two-factor authentication (2FA) for users. This will allow users to enable 2FA via TOTP (e.g., Google Authenticator, Authy) in their account settings, but not require it for all users.

Requirements:

• Users can enable or disable 2FA from their account settings.
• When enabled, users must scan a QR code with an authenticator app to set up 2FA.
• On login, if 2FA is enabled, users must enter a valid TOTP code after password authentication.
• Users should be able to generate and view backup codes for account recovery.
• Store TOTP secrets and backup codes securely.
• UI/UX for enabling/disabling 2FA, entering codes, and managing backup codes.

Technical Notes:

• Use the rotp gem for TOTP generation/validation.
• Use the rqrcode gem to generate QR codes.
• Add otp_secret and otp_backup_codes columns to the users table.
• Update authentication flow to require TOTP code if 2FA is enabled.

Acceptance Criteria:

• Users can opt in/out of 2FA.
• 2FA is enforced only for users who have enabled it.
• Backup codes are available and can be regenerated.
• All sensitive data is handled securely.

[dmitrytrager]

Can we use email instead of TOTP?

[dcollie2]

Can we use email instead of TOTP?

The specifics are really up to us, so yes. The stakeholders expressed concerns about security and 2FA was one of my suggestions to them.

[dcollie2]

I think the reality here is that they will not use this if we build it. They asked for better security but didn't like the idea of 2FA. Let's put this on the backburner.