• Developers

  • 2 factor authentication for the API

In our Telegram group someone suggested we added 2FA functionality to our project and we realized it'd be a great feature to add to the bunq API.

Basically what we were thinking was allowing the user to choose to turn on 2FA for an API key upon creating it in the app or while accepting a new request by scanning a QR code.

After that when a new session is created with this key the user receives a push notification which prompts the user to allow or block the request. When the user blocks the request you could also ask the user if he/she wants to deactivate the key since someone/something is trying to use their API key.

If the users accepts the request there will be a second endpoint alongside the session-server endpoint similarly to how the new tinker API endpoint ( /v1/credential-password-ip-request/{uuid} ). This endpoint would return an accepted/pending/rejected status and a session key once it gets accepted

This is extremely similar to how Google uses phone prompts which looks like this:

You could ofcourse allow the application sending the request to add a description and display the ip address of the application doing the requst among other usefull info.

Just think of the new Tap & Pay screen but with a different background color to make sure the user knows it is a different page.

Currently if someone steals my key somehow I will get a notification that someone logs in. But if that person is smart they could run a bunch of API before you can go to your settings and deactive them.

Adding this 2FA functionality would straight up block this situation while still allowing users to log-in to their favorite API projects with ease.

    Hi Gregory,

    Thanks for sharing this idea with us πŸ’‘It does sounds like a helpful tool when using the API πŸ‘

    We'll see what other bunqers think & I wish you a nice weekend.

    Cheers πŸ™‚

      We implemented 2FA by restricting API access to certain IP's, which you can toggle/set to your liking.


      Having this in the App is unlikely: for the case you describe above we should think of something on a higher level probably. Not entirely sure/clear on that yet.

        The issue with IP bound 2FA which I have personally noticed was that when I was working on my project in the train for example I constantly had to whitelist my IP through the docs causing me to just disable it.


        With a system like I described above that'd be a one touch step directly from the bunq app. (Possibly two steps if you have to enter a pin/scan their fingerprint)


        My idea definitely needs some tweaking but I'd love any kind of 2FA coming from bunq for the API. It'd allow me to not even store the encrypted sessions on the device within my application and just keep it in memory until the user logs out.


        Thanks for the feedback πŸ‘

          I use https://duo.com in my apps and sites. Works like a charm. Would be great if you implement it (or something alike) with the API.

            My entire project is client-side only, we don't store user data on a server so any free solutions that I can find aren't useful for it. I know duo's platform and I'm pretty sure they do not support client-side applications with how their secrets are stored/generated.

            I thought of implementing 2FA directly in the client, but that'd only protect users from people who don't know how to reverse engineer the application. It wouldn't protect users against someone who writes their own script to extract the data. It'd be like checking your password in the browser using Javascript.

            And sure I could build a whole service with some kind of storage solution using end-to-end encryption. But nothing I can build will be more secure and easy to use than bunq implementing something directly into the API.

              Write a Reply...