I'm trying to implement two factor authentication via TOTP. I have webapp and mobile applications(ios and android). I want two factor auth flow only on webapp but not on mobile apps. How can I securely bypass two factor auth on only mobile apps ?
Update: I'm using common backend api for webapp and mobile apps. Need to implement two factor on web app. For mobile apps One factor(username, password) is fine.
Having two authentication flows, one with 2FA and one without, is basically a vulnerability. Implement 2FA everywhere or don't bother.
Paypal has some bad experience with partial 2FA implementations. No reason for you to follow.