[GH-ISSUE #250] MFA push / Authy API compatibility #196

New issue

Open

opened 2026-05-07 00:21:19 +02:00 by BreizhHardware · 4 comments

BreizhHardware commented 2026-05-07 00:21:19 +02:00

Owner

Copy link

Originally created by @alexanderadam on GitHub (May 13, 2022).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/250

I'm not quite sure whether this is possible and whether the issue title explains properly what this is about.
The general idea is to improve usability for 2FA.

So for 2FA there's usually a separate app and once users are prompted to type their second factor they might have to unlock their mobile phone, open the authenticator app, search the platform and then they can actually start to type or copy the code.
The company Twilio created a smart solution for making this workflow easier: Authy.
Authy's workflow goes as follows:

the application calls Authy when it wants 2FA assurance. Using Apple or Google, Authy sends a push notification to the user’s device, which improves the user’s experience by leading the user to the mobile app. This push notification does NOT contain the transaction details.

This workflow sounds great and clearly removes friction. But it relies on a proprietary uncontrollable service. Such as most push notification infrastructure besides ntfy.
And this workflow obviously relies on push infrastructure anyway.

Therefore it would be nice to have a free solution to improve people's security.

Without knowing any details about Android development I would guess that it would need these things:

1. The server must have an integration possibility so that services and applications can actually provoke this. The best way would probably to mimic the Authy API, since other developers only would have to give the config option to change the API URL then.
2. ntfy Android app should have a possibility to open a particular entry from an MFA app (maybe it would be good to discuss that with the folks from FOSS OTP projects, such as Aegis or FreeOTP+). I'm not quite sure how video players declare that they are capable of opening videos or certain URLs. Maybe something similar would work here too (i.e. there's already a schema to create a new entry in an OTP app with otpauth://totp/some_email_provider).

I'm fully aware that this is a lot to ask but improving security and its usability for people believing in free software is a probably worth a try.

PS: Thank you so much for nfty 🙌

Originally created by @alexanderadam on GitHub (May 13, 2022). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/250 I'm not quite sure whether this is possible and whether the issue title explains properly what this is about. The general idea is to improve usability for 2FA. So for 2FA there's usually a separate app and once users are prompted to type their second factor they might have to unlock their mobile phone, open the authenticator app, search the platform and then they can actually start to type or copy the code. The company Twilio created a smart solution for making this workflow easier: [_Authy_](https://authy.com/). [Authy's workflow goes as follows](https://authy.com/blog/authy-onetouch-simply-strong-security/): > the application calls Authy when it wants 2FA assurance. Using Apple or Google, Authy sends a push notification to the user’s device, which improves the user’s experience by leading the user to the mobile app. This push notification does NOT contain the transaction details. This workflow sounds great and clearly removes friction. But it relies on a proprietary uncontrollable service. Such as most push notification infrastructure besides ntfy. And this workflow obviously relies on push infrastructure anyway. Therefore it would be nice to have a free solution to improve people's security. Without knowing any details about Android development I would guess that it would need these things: 1. The server must have an integration possibility so that services and applications can actually provoke this. The best way would probably to mimic [the Authy API](https://www.twilio.com/docs/authy/api#api-base-url), since other developers only would have to give the config option to change the API URL then. 2. [ntfy Android app](https://github.com/binwiederhier/ntfy-android#ntfy-android-app) should have a possibility to open a particular entry from an MFA app (_maybe it would be good to discuss that with the folks from FOSS OTP projects, such as [Aegis](https://github.com/beemdevelopment/Aegis) or [FreeOTP+](https://github.com/helloworld1/FreeOTPPlus)_). I'm not quite sure how video players declare that they are capable of opening videos or certain URLs. Maybe something similar would work here too (_i.e. there's already a schema to create a new entry in an OTP app with `otpauth://totp/some_email_provider`_). I'm fully aware that this is a lot to ask but improving security and its usability for people believing in free software is a probably worth a try. **PS:** Thank you so much for nfty :raised_hands:

BreizhHardware added the

enhancement

server

labels 2026-05-07 00:21:19 +02:00

BreizhHardware commented 2026-05-07 00:21:20 +02:00

Author

Owner

Copy link

@Curid commented on GitHub (May 13, 2022):

You can use something like Authelia on your web server.

<!-- gh-comment-id:1126379663 --> @Curid commented on GitHub (May 13, 2022): You can use something like [Authelia](https://www.authelia.com) on your web server.

BreizhHardware commented 2026-05-07 00:21:21 +02:00

Author

Owner

Copy link

@alexanderadam commented on GitHub (May 13, 2022):

You can use something like Authelia on your web server.

This issue is not about securing ntfy with an identity provider. It's about providing a Authy inspired/compatible API within ntfy and allowing to open an Android intent on OTP apps that will open a particular entry.

<!-- gh-comment-id:1126419017 --> @alexanderadam commented on GitHub (May 13, 2022): > You can use something like [Authelia](https://www.authelia.com) on your web server. This issue is _not_ about securing ntfy with an identity provider. It's about providing a Authy inspired/compatible API within ntfy and allowing to open an Android intent on OTP apps that will open a particular entry.

BreizhHardware commented 2026-05-07 00:21:21 +02:00

Author

Owner

Copy link

@Curid commented on GitHub (May 13, 2022):

You want to use ntfy to proxy OTP requests from back-end services to OTP apps?

<!-- gh-comment-id:1126460105 --> @Curid commented on GitHub (May 13, 2022): You want to use ntfy to proxy OTP requests from back-end services to OTP apps?

BreizhHardware commented 2026-05-07 00:21:21 +02:00

Author

Owner

Copy link

@alexanderadam commented on GitHub (May 15, 2022):

I'm not quite sure what 'proxying' would mean in this context.

The way Authy works (and how I imagine this could work in a combination of ntfy and an OTP) is this:

1. You try to sign in with activated MFA on a platform (i.e. example.org)
2. The platform sends a notification to Authy (or maybe your ntfy instance in the future) that you need the OTP code for example.org (there are some libraries to communicate with an Authy API)
3. Your mobile device is getting the notification and when you tap on it, you'll see the entry for example.org in your favourite OTP app

Since ntfy already supports bringing push notifications from $somewhere via ntfy server to the ntfy Android client only two things are left to replace Authy with ntfy in this scenario:

1. an incoming API entrypoint for "show OTP entry of example.org" (platform maintainers could probably even use official libs if the API would be compatible to the Authy API)
2. a way for the ntfy Android to open your OTP on the mobile device for example.org (maybe by opening a scheme like this otprequest://example.org). OTP apps need to subscribe to these URLs (I also asked on andOTP whether this is possible)

<!-- gh-comment-id:1126890878 --> @alexanderadam commented on GitHub (May 15, 2022): I'm not quite sure what 'proxying' would mean in this context. The way Authy works (_and how I imagine this could work in a combination of ntfy and an OTP_) is this: 1. You try to sign in with activated MFA on a platform (_i.e. `example.org`_) 2. The platform sends a notification to Authy (_or maybe your ntfy instance in the future_) that you need the OTP code for `example.org` (_there are [some libraries to communicate with an Authy API](https://github.com/twilio?q=authy-&sort=stargazers)_) 3. Your mobile device is getting the notification and when you tap on it, you'll see the entry for `example.org` in your favourite OTP app Since ntfy already supports bringing push notifications from $somewhere via ntfy server to the ntfy Android client only two things are left to replace Authy with ntfy in this scenario: 1. an incoming API entrypoint for "_show OTP entry of `example.org`_" (_platform maintainers could probably even use official libs if the API would be compatible to the Authy API_) 2. a way for the ntfy Android to open your OTP on the mobile device for `example.org` (_maybe by opening a scheme like this `otprequest://example.org`_). OTP apps need to subscribe to these URLs (_I also asked on [andOTP](https://github.com/andOTP/andOTP/issues/990) whether this is possible_)

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dependabot/npm_and_yarn/web/fast-uri-3.1.2

email-verification

attachment-no-http2

attachment-fixes

attachment-s3

config-generator

postgres-replica

dockers-v2

postgres-support

postgres-webpush+user+message

postgres-webpush+user

postgres-webpush

1364-copy-action

crashfix

user-header

scalar-api-docs

cancel-scheduled

update-available

windows-server

303-update-notifications

postgres

admin-ui

require-login

http-clipboard

message-cache-lock

debian-stripe

predefined-users

busy-timeout

template-dir

ipv6

client-ip-header

apns-fix

feat_optional_require_login

security-updates

pg-message-cache

templating-disallow

templating-3

templating-2

message-size-limit+delay-limit

remove-rate-topics

html-emails

cf-priority

acl-underscores

auth-user-header

markdown

img-attach

web-improvements

utf8-headers

matrix-507-reject

http-response-writer

new-homepage-design

e2e

canary

windows

electron

update-messages

webhook-templating

v2.22.0

v2.21.0

v2.20.1

v2.20.0

v2.19.2

v2.19.1

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.14.0

v2.13.0

v2.12.0

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

v2.0.0

v1.31.0

v1.30.1

v1.29.1

v1.29.0

v1.28.0

v1.27.2

v1.27.1

v1.26.0

v1.25.2

v1.25.1

v1.25.0

v1.24.0

v1.23.0

v1.22.0

v1.21.2

v1.21.1

v1.21.0

v1.20.0

v1.19.0

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.0

v1.14.1

v1.14.0

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.2

v1.11.0

v1.10.0

v1.9.0

v1.8.0

v1.7.0

v1.6.1

v1.6.0

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.3

v1.3.1

v1.3.0

v1.2.5

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.0

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

ai-generated

  

android-app

  

android-app

  

android-app

  

🪲 bug

  

build

  

build

  

dependencies

  

docs

  

enhancement

  

enhancement

  

🔥 HOT

  

in-progress 🏃

  

ios

  

prio:low

  

prio:low

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

🔒 security

  

server

  

server

  

unified-push

  

web-app

  

website

No labels

ai-generated

android-app

android-app

android-app

🪲 bug

build

build

dependencies

docs

enhancement

enhancement

🔥 HOT

in-progress 🏃

ios

prio:low

prio:low

pull-request

question

🔒 security

server

server

unified-push

web-app

website

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ntfy#196

No description provided.