| title | layout | copyrights | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
ACC Multi-Factor Authentication |
spec |
|
This document specifies a multi-factor authentication mechanism for IRC login that works alongside existing SASL methods.
The ACC MFA command is used to enable and disable Multi-Factor Authentication methods, and to sign in with MFA. It is based on the existing ACC command framework.
ACC MFA ENABLE <method> ...params...
ACC MFA DISABLE <method>
ACC MFA LIST
ACC MFA IDENTIFY <method> ...params...
ACC MFA REQUIRED <method>{,<method>} <info>
ACC MFA DATA <info>
The totp method is based on the TOTP RFC, as well as the otpauth URI that has become the standard format for transmitting TOTP parameters.
Below lists the format of various ACC MFA subcommands when using TOTP.
ACC MFA ENABLE TOTP
When enabling the totp MFA method, servers generate TOTP parameters, and a standard QR code containing an otpauth: URI. This QR code is then displayed to the user through a number of ACC MFA DATA messages. The specific display method should be:
ACC MFA DATA <>*64
... specify some ASCII/Unicode way of displaying it here, with colour codes 0/1 ...
Client: CAP LS 302
Client: NICK dan
Client: USER dan 0 * :Modern Client
Server: CAP * LS :sasl=EXTERNAL,FOO,DH-AES,BAR,DH-BLOWFISH,FOOBAR,PLAIN batch cap-notify
Client: CAP REQ :sasl
Server: CAP dan ACK :sasl
Client: AUTHENTICATE PLAIN
Server: AUTHENTICATE +
Client: AUTHENTICATE ...
Client: AUTHENTICATE amlsbGVzAGppbGxlcwBzZXNhbWU=
Server: ACC MFA REQUIRED TOTP :Two-Factor Authentication Required (/ACC MFA IDENTIFY TOTP code)
Client: ACC MFA IDENTIFY TOTP 142534
Server: 900 dan dan!usr@localhost dan :You are now logged in as dan
Server: 903 dan :SASL authentication successful
Client: CAP END
Server: 001 dan :Welcome to the oratest Internet Relay Chat Network dan