Two Factor Authentication with Basic Auth for REST API?

Question

I am implementing a REST API that has both mobile application and browser based clients and users. Based on questions I've asked and previous questions here and at security.stackexchange, I have come to the conclusion that to stay as "RESTful" as I can for as long as I can, HTTP Basic Auth over SSL is sufficient for Authentication. The problem is I'd also like to implement Two Factor Authentication along with it. Is it acceptable to add headers in the 401 Authorization header response, like username:password:token, or in a totally separate request header, but in the same payload as the basic auth response by the client? Since I'm using node.js + express/connect, I have access to the entire HTTP protocol stack, but want to remain as restful as possible for scalability reasons. On the browser side, I guess I could do the basic auth, and if it passes, ask for the TFA token, and only if it passes consider the user authenticated.

Answer 1

You can technically make up new authentication schemes to extend from HTTP Basic Auth, but they generally won't be supported by browsers. In your example, I don't believe any browser would be able to natively ask for and send username:password:token in the same way they can easily ask for username and password.

Generally two-factor authentication schemes work by putting the user into an intermediary state using some form of sessions as you mentioned in your second example. A user who has passed the first factor, say username/password via Basic Auth, has a session opened but not marked as really logged in until they also pass the second factor. Inputting a dongle code or something like that. Once both factors are passed their session is marked as fully logged in and they can access their account/data/whatever.