Can OAuth be implemented with two factor authentic

2019-08-04 00:19发布

问题:

I've been looking into OAuth to see if it can be used in a project I'm working on. I'm starting to doubt if its possible. It's based on two factor authentication with a mobile device.

Essentially I'll have a login page where upon successful login a QRCode will appear on screen. The user will be prompted to scan this code with their android device (An app I'm making myself) which will authenticate them with the server.

I'm not sure if this fits with the OAuth paradigm so I'm thinking I may need to design my own protocol instead.

Any advice appreciated.

回答1:

I don't think OAuth finds a place here, you have only one server and your mobile user is not known to it. OAuth is used when a client (eg:web-app, android app) needs to talk to a server (eg:Google Plus) on behalf of an end-user that there owns some resource (eg: end user google drive files), protecting their credentials. Eg: You cannot/dont'need to know their password in Gplus, GPlus tells you they are authorized users there and allows you to do things on their behalf, see http://en.wikipedia.org/wiki/OAuth

Why you user does not insert username and password in the Android App, without the QRcode ? I dont' think you are adding any security with this qrcode that anybody can scan, look at Google 2 Step: http://en.wikipedia.org/wiki/Two-step_verification they send an sms