Setting up MFA

[ChxisB]

Hello Rauthy community!

I've recently come across this project and it's incredible. We're going to be using it for our authentication. I'm trying to setup MFA where the user uses their Google Auth or Microsoft Authenticatior. However, there only seems to be a way to do it via a "session" cookie.

What we're currently trying to achieve:

Custom Flutter UI -> Microservice API (Calling Rauthy) -> Return QR Code details -> Display QR Code in Flutter app.

We do have an issue with the /users/{id}/webauthn/auth/start endpoint. We're getting 401 Unauthorized even though we're passing the user id in the param and we've got a session cookie.

It would be great to get some guidance on how best to approach this?

[sebadob]

I guess you are trying to set up TOTP, and yes, this will not work. Rauthy works with Passkeys. There won't be any QR code or anything like that.

I never used Flutter, but if you want to use it, you would need to work with Webauthn. However, even then, you won't be able to use TOTP. I never implemented it and never will, because I think it's outdated technology and provides a very bad and annoying UX, especially compared to Webauthn.

The Endpoints for starting and finishing the Webauthn ceremony require a Session, because they cannot be triggered from an external Origin anyway. You could make it work, if you dare to go very low level with the API, and do it manually instead of letting the browser / Webview handle everything for you.

If you really want to use TOTP for whatever reason, instead of Webauthn, you won't be able to set up MFA with Rauthy.
However, if you want to stick with Rauthy + Passkeys, you will most probably not be able to do it from inside your app, as long as you don't handle a lot of stuff manually. Webauthn is very restrictive. Your best choice would be to open the Browser on devices.

[ChxisB]

Thanks for the reply @sebadob - with us being in health industry "UK" we have to bid by their standards and one of them standards is to have TOTP enabled.

We need the ability to be as custom as possible. We were looking at firebase auth but we're looking to self host a solution; - A solution which allows us to add the different MFA solutions.

[sebadob]

Yeah if they have bad standards, theres nothing you can do about it. If you need TOTP, take a look at Keycloak (basically the default option) or Zitadel (never used it myself).

[peter-]

FWIW, Authelia is fully FLOSS, simple to deploy and run (like Rauthy, unlike Keycloak) and supports TOTP (as well as fido/fido2/webauthn), if you think you need that.

Seems the API docs are not yet linked from the public documentation.