I have spent a significant amount of time building out support for authenticator applications (Google, Microsoft, etc.) for two-factor/multi-factor authentication within APEX. This includes the use of OSS Utils in Github. It would be much easier to implement TFA/MFA if it was natively supported within APEX.

With something this basic and important in an age of such high cyber security risk it is hard to understand why more votes are needed.

@jkerr it's not just about votes. It's about support through comments and/or votes and/or justification of appropriateness and/or justification of demand (etc, etc) in a sea of many other competing ideas or needed features in a world of finite time and resources.

It’s a good idea but with things like microsoft AD/social sign in you get 2fa by default as part of the integration

You only get 2FA through social sign in if they use it, and have strong passwords, vs. if you are able to force 2FA and confirm passwords are strong with your APEX app signon.

As a paying Oracle customer, I strongly support this. I have been asked by my organization if we can implement 2FA/MFA - there is a lot of open source software out there, but how do I know that is secure, or maintained? Similarly, blog sites show some things, but again, not always enough detail of how to do this reliably. Also, corp then wants to understand the license of such code from a legal side. Maybe not so needed for hobbyists, but using this is a large organization with a lot of rules would be cumbersome, or if we implement it wrong, actually could make the application LESS secure. I would be so happy if Oracle could support this.

This is an industry wide security best practise.

Anymore arguments needed?

This stops us from using Apex application as it fails SOC compliance.  I think it a must have and first thing to have in any org serious with their application development.

I do think this feature is needed for some use cases, but I think people need to take a step back and look at integrating with a directory service like AD/Google wherever possible and leveraging the 2FA from the service and centralizing user management.  That will make auditors happier still.

Put me down on the side of wanting TFA integration with native/custom authentication. Having just gone through a bit of a nightmare integrating Google Partner Authentication with a non-apex application, I want nothing to do with it.

@darenjanes2 Surely that is down to making the integration with Google/Azure being simpler by the APEX dev team rather than having to fallback to custom auth?

Why can't we have both options?

@darenjanes oh I totally agree and I agree there are use cases where AD/Azure integration is not appropriate/possible.  I just think people jump at 2FA in APEX rather than looking at the benefits of sign sign on and the 2FA comes with that.

As an aside, there's a PL/SQL implementation of TOTP here that can be used to roll your own 2FA in APEX: https://apexutil.blogspot.com/2018/07/two-factor-authentication-with-apex.html

Of course it would be better to have it built-in and just “check a box” in APEX, but worth looking into for those who can't or won't wait for something “official”.

Strongly need this as well. Corporate policy wants us to improve security by using 2FA/MFA. 

Unlike original idea, I suggest the developer should be able to require this at the application level in some way, instead of leaving it to users to opt-in. This is a way to enforce corporate policy

When asking for this feature I am often referred to blog posts or code on github that was written back in 2019. How do I know that is still secure today? How do I know I will implement correctly? How do I know the people that wrote it even did it securely, despite good will?

As a “low code” platform, this should be a common enough feature that a company with the resources and know-how to check for security matters can implement it reliably for everyone.

Although it is possible to use Google and others as identity providers, not every goverment organization wants to have their users authenticated by an external party. Also other organizations may not want to have their users to be exposed to companies like Google, Facebook and others.

If developers / organizations rely on these identity providers, no problem, but a serieous no-code / low code platform should also supply their own secure login experience.

And what about application that run on the internal network, disconnected from the internet.
Even these applications need a secure login experience.

Its a good idea - that said I implemented 2FA via email back in 2007ish.  It was very easy to do.  For those needing 2FA rather then waiting maybe think about If that would work for your use case.