Diagrams

Setup authenticator app

@startuml
actor Alice #green
Alice->Wallet: Create Primary account Wallet->Alice: Primary account public key
Alice->Wallet: Create Recovery account Wallet->Alice: Recovery account public key
Alice->2FAServer: Get ARC-14 realm (/v1/Multisig/GetRealm) 2FAServer->Alice: Return realm (2FA#ARC14)
Alice->Wallet: Sign ARC-14 Tx with Primary account Wallet->Alice: SendSigned Auth Tx
Alice->2FAServer: Request 2FA secret, auth with primary account, secondary account as param (/v1/Multisig/SetupAuthenticator) 2FAServer->Alice: Returns QR code 2FAServer->Alice: Returns error if previously stored
Alice->2FAServer: Confirm 2FA secret, auth with primary account, secondary account as param, pin as param (/v1/Multisig/ConfirmSetupAuthenticator) 2FAServer->Alice: Ok if stored correctly
@enduml
Setup authenticator
Person creates primary account and recovery account. It is recommended that two accounts are created using different technologies, and recovery account is cold storage account.
In first request person request the 2FA server for the realm. He signs the authentication transaction, and uses it further with communication with 2FA server. 2FA server now knows the user has private key to the primary account.
To create 2FA account, user calls SetupAuthenticator method with parameter of recovery account. Server responds with QR code and manual entry key.
For increased user friendliness user can call this method as many times he wants until he call ConfirmSetupAuthenticator. When server stores information that this primary account and recovery account is used, it does not show sensitive qr code any more.
Server uses hash of its own secret with primary account and secondary account as seed for 2FA account.

Sign transaction with authenticator app

@startuml
actor Alice #green
Alice->Wallet: Sign msig tx with primary account Wallet->Alice: Signed msig tx
Alice->2FAServer: Get ARC-14 realm (/v1/Multisig/GetRealm) 2FAServer->Alice: Return realm (2FA#ARC14)
Alice->Wallet: Sign ARC-14 Tx with Primary account Wallet->Alice: SendSigned Auth Tx
Alice->2FAServer: Request to sign msig tx. Tx is in parameter, primary account is identified by auth tx, secondary account is parameter, pin is provided in parameter (/v1/Multisig/SignWithTwoFactorPINMsigTx) 2FAServer->Alice: Signed msig tx
Alice->Blockchain: Send msig tx
@enduml
Sign 2FA transaction
Alice can sign transaction only if she has access to the primary account private key and when she has access to the 2FA device to request pin.