MFA login#60

i would like to suggest to include multi factor authentication as a feature for securing login

I suggest OTP since it’s open, flexible and widely adapted.
Might not be the most performant choice though?

Tip: Aegis is a very straightforward 2FA application for Android. It can be found on F-Droid.

If this ever gets implemented please allow to disable it.

please please please add this

Sending a code through email might be just as secure in place of 2FA authenticator codes, because most email providers provide 2FA as a security measure.

However, it should be optional in Settings rather than default, as the ease of use will be negatively impacted if it’s not simple password-only.

Passkey support would be nice, but I’d settle with 2FA.

Yubikey please!

Sending a code through email sounds good.
It’s simple & proven reliable.
And ofc it’s an optional and opt-in feature.

Honestly I think 2fA for a blog is completely overdoing it.
Just use good passwords. And if you need more, you could use OTP or email to verify.

@nullfound & Anonymous: Please remember we’re talking about access to a blog. Not online banking or some seriously discrete stuff.

As I’ve already stated, I don’t have strong opinion here (a code through email is a form of 2FA). I’m merely expressing my desire. As for passkeys, they are just the new password. They should be becoming ubiqitous as they are easier to use and more secure.

…as well as bound to a piece of hardware and often times also to a specific vendor which holds exclusive rights on your access to this login solution.

In simple terms: it’s not that simple.
There are similar solutions with different pro’s & con’s.
And the main issue with authentication is lack of awareness on the users side - not the method itself.

Many big-tech companies today make their products so that you don’t really need to know anything in order to use them - which makes them very accessible on one hand - and the user very clueless about almost anything on the other.
Therefore it’s also very much a lack of consciousness.

It’s extremely easy to create a strong, memorable password.
If you disagree with this statement, your knowledge may be highly outdated.

No I definitely aggree with you. Anything that requires the user to have some extra hardware is a bit overbearing. That’s why I like passkeys, they use your phone, so you don’t need something like a Yubikey. They are also FIDO2 compliant and easier to use than passwords for the end user, not to mention significantly more secure.

Here’s a good explanation about how it works and what the experience with using a Passkey is like: https://www.future.1password.com/passkeys.

Some people use blogs and want to remain anonymous. There’s no IP log and no way to know if our account has been accessed by an unauthorized party, because there are no verification orders for logins.

It would be perfect to have an opt-in option to verify using email, because email often provides 2FA by default, so we’d have

login to bear –> email <– 2FA