When registering or any time after that a user may select his security level:
Weak: Authentication by password only. Password recovery by email.
Moderate: Authentication by password only. Password recovery by email and SMS code. This level requires user to specify his mobile number including country code.
Strong:Authentication and Password recovery by email and SMS code. This level also requires user to specify his mobile number including country code.
A user can change his security level at any time.
The owner of a project may specified a minimum security level for the users who could access this project.The specified level can’t be higher than the level of the user. If user lowers his security level, he may loose access to some of his projects.
When the owner invites other users, they receive the invitation email (user AAA invites you to join the project BBB…). If the current security level of the user is not sufficient for the project, the same email s says “The project BBB requires security level “strong”. Please change your security level in order to get access to the project.”. Exactly the same message appears when user logs it and tries to see the project with the level higher than the user’s level.
If user is set 2 factor authentication, once user enters email and password, we generate random 6-digit code and SMS it to the user. User is redirected to a page where he could enter the code. The page also has buttons “back to login” and “resend the code” in which case we generate and send new code.
User has 3 tries before login fails and user is redirected back to the login panel.
The code has a timeout (like 10 mins) after which it’s considered to be invalid.
If user chose 2-factor schema for recovery, we send user email with the link to the same page for security code and we send SMS with the code to the user. Once user enters the code, he could change his password.