MFA login#60
i would like to suggest to include multi factor authentication as a feature for securing login
I suggest OTP since it’s open, flexible and widely adapted.
Might not be the most performant choice though?
Tip: Aegis is a very straightforward 2FA application for Android. It can be found on F-Droid.
If this ever gets implemented please allow to disable it.
please please please add this
Sending a code through email might be just as secure in place of 2FA authenticator codes, because most email providers provide 2FA as a security measure.
However, it should be optional in Settings rather than default, as the ease of use will be negatively impacted if it’s not simple password-only.
Passkey support would be nice, but I’d settle with 2FA.
Yubikey please!
Sending a code through email sounds good.
It’s simple & proven reliable.
And ofc it’s an optional and opt-in feature.
Honestly I think 2fA for a blog is completely overdoing it.
Just use good passwords. And if you need more, you could use OTP or email to verify.
@nullfound & Anonymous: Please remember we’re talking about access to a blog. Not online banking or some seriously discrete stuff.
I would appreciate 2FA support, preferably passkeys or authenticator codes.
TOTP-or-similar setups with passkeys or authenticator apps would be perfect for Bear
TOTP support (eg. Google Authenticator) would be amazing.
One time token would be fantastic.
Bela writes: “If you don’t create attack surface or reasons to attack you, there’s no one to harm you. And I can say from my own experience that this is absolutely possible while still retaining the freedom to unfold, grow, and do things your way.[…]”
This works until you belong to a marginalized group or dare to have opinions that aren’t milquetoast, bland stuff. People get hacked and hated on for liking or disliking a video game, people get sent hatemail for critiquing tech, people get harassed for being gay or trans… there are experiences and lives where you just exist openly and piss someone off enough to want to harm you. It’s unfortunate. I don’t want to live in the prison of writing every blog post making sure it doesn’t get dragged to 4chan or Kiwifarms and worrying about my blog’s safety. They have plenty of time and resources on their hands.
Good Point.
But how about sharing opinions with people who want to know about them rather than posting them in places where there are more who just want to vent.
One should also consider the purpose of sharing their opinion.
Is it just to tell your opinion?
Is it to vent in some way?
Or is it to share valuable views on something which can actually benefit others?
[…]
I’m not saying “this is it” ~ but that how you say something takes a big role in how others take your words.
For that matter, your ability to phrase your opinions & intentions as the one sharing shape how others perceive it.
The way you think, your inner values and beliefs shape how others feel about your words.
If you think your word or opinion is overly important, you’ll likely receive a related amount of attention.
To add one thing to theese definitions:
Fear, of any kind, conscious or subconscious, always plays the biggest role in whether the world responds positively or negatively towards your words, actions and appearance.
I can firmly say that out of my own experience (since I was little) and obersation.
Some people may want multifactor authentication and some think it is over doing or unnecessary. I get it. But everyone must consider this, people/writers in bear blog come from different backgrounds and have different requirements. So I think having an option of multifactor authentication is an absolutely must for bear blog. Now, using it or making it an extra addin is what most people will agree upon rather than not having anything other than simple password login which can be hacked is not a great idea. This is 2025 and AI usage is the raise. Malicious actors are actively trying to gain access to sesnitive information all around the world using AI. So it is very vital for bear blogs survival to have an multifactor authentication process builtin as an added security layer.
I’ll be giving this some thought over the next few days. Here are some things to consider:
Bear does not hold any sensitive information about its users (except email address). In order for a malicious actor to attempt to get into an account they would need to have that email address already, and so would gain no new information by compromising the account.
To my knowledge, there have been zero compromised blogs on Bear. It’s not a high-priority target because there’s not much to be gained by compromising a blog.
Compromised blogs are easily reverted to their original owner by emailing me. It is also possible to back up all of your posts in blog settings as well.
Most people have terrible MFA (and password) hygeine, which leads to many people locking themselves out of their account if MFA is enabled. I will, of course, re-instate access if they email me, but that means that the MFA is just more security theatre than actual security, and increases my workload.
So while I am considering it as an optional feature in the future, it doesn’t have priority since it’s a solution to a problem that hasn’t manifested on Bear as of yet, and increases the customer support for me.