Golang : How to implement two-factor authentication?

Nowadays, having a password no longer protects your account or website been hacked. This is because password is a "something you know" and it can be shared, leaked and reuse by someone else.

To improve online security, the 2FA or better known as two-factor authentication adoption is growing worldwide because 2FA has the additional benefit of "something you have" -- such as a token( a string) -- which is unique to the person holding the token generator.

Cyber criminals(or some state sponsored crackers) will have harder time to access your account or server even with plaintext password...when the password is used together with a one time token generated by app such as Authy (https://www.authy.com/) or Google Authentication App.

To implement 2FA on your website. Basically the steps are:

1. Create a button to let your user to enable 2FA on their own account.
2. Generate a QR code that compliant to Authy or Google Authentication.
3. Show the QR code and have an input prompt for the token.
4. Have the user scan the QR code and enter the one time unique token for verification.
5. Once the user is authenticated, mark the user's account as 2FA enabled in the database and memory.
6. For best result, logout the user and force the user to login again with 2FA.

For step 2, see this tutorial on how to generate QR codes that are compliant with Google Authenticator App.

https://www.socketloop.com/tutorials/golang-generate-qr-codes-for-google-authenticator-app-and-fix-cannot-interpret-qr-code-error

For step 3 to 4 :

https://www.socketloop.com/tutorials/golang-verify-token-from-google-authenticator-app

Anything that I've missed out or suggestion to add? Leave your comment below.

References :

https://github.com/google/google-authenticator/wiki/Key-Uri-Format

https://github.com/dgryski/dgoogauth

http://blog.gopheracademy.com/advent-2013/day-21-two-factor-auth/