Meteor just released a new package that makes your life easier when you need to provide a 2FA system to your users on your Meteor app.
The package is called accounts-2fa and right now, it’s integrated with accounts-password and accounts-passwordless.
With this package, you can generate a QR code where your users can scan it on any authentication app, like 1Password or Google Authenticator, and use the codes generated by those apps to authenticate on your app.
I’ll show you how you can use this package in this post.
The first step is to add the package to your project. To do that, run the following command:
$> meteor add accounts-2fa
You also need to have either accounts-password or accounts-passwordless as one of your login methods.
Activating 2FA
Now that you have the package added to your project, you can generate a QR code so a user can scan it. To that, you call the function Accounts.generate2faActivationQrCode() providing your app name and a callback so that you can receive the QR code.
Below you can see an example of how you could call this function:
At this point, the 2FA won’t be activated just yet. Now that the user has access to the codes generated by their authenticator app, you can call the function Accounts.enableUser2fa with the code the user will provide.
You can also verify if the user has 2FA enabled (in case you want to show this information somewhere on your app) by calling the function Accounts.has2faEnabled.
To disable the 2FA, you need to call the function Accounts.disabledUser2fa.
Log in with 2FA
As I said before, you need to have either accounts-password or accounts-passwordless as one of your login methods. When using accounts-password, you need to call the function Meteor.loginWithPassoword to log in, for accounts-passwordless you need Meteor.passwordlessLoginWithToken.
These functions now will return an error on their callback if the user has 2FA enabled. So you need to verify this error and redirect the user to the proper place where they’ll be able to provide you a code.
Here’s an example when using accounts-password:
Now you can call the function Meteor.loginWithPasswordAnd2faCode when working with accounts-passwordor call the function Meteor.passwordLoginWithTokenAnd2faCode when working with accounts-passwordless.
Conclusion
It’s that simple to have 2FA integrated into your app now. You can check the official doc here for more details.
You can also check these methods in user here.
Using 2FA in your Meteor app was originally published in Meteor Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.