"Push" or "passwordless" authentication support?

[winstonwolff]

I'm not sure of the right term, but our clients are looking to avoid typing their OTP digits in order to login. They often change tasks, so the timeouts do cause them to authenticate several times per day. Authenticator apps like Duo Authenticator, and Google Authenticator have features where a web app can notify the user on their phone, and the user just taps a button on the phone to authenticate. Here's a 20 sec video example of what I'm talking about: https://duo.com/product/multi-factor-authentication-mfa/duo-mobile-app

Does anybody know of Rodauth integration with such an authenticator app?

[jeremyevans]

Rodauth doesn't support this by default.

IMO, It's a fairly bad idea from a security perspective because an attacker can submit a request around the same time as an actual request, or spam requests to authenticate and wait until the person with the phone presses a button just to stop getting annoyed (or by accident). If something is important enough to require OTP authentication, it's probably worth taking the time to ensure you are authenticating what you expect to be authenticating.

These days, for similar convenience to what you want, and much better security, I would recommend using WebAuthn (which Rodauth supports in a few different ways).

[winstonwolff]

Thanks as always for the fast reply and your thoughtful security perspective.