i would like to suggest to include multi factor authentication as a feature for securing login
I suggest OTP since it’s open, flexible and widely adapted.
Might not be the most performant choice though?
Tip: Aegis is a very straightforward 2FA application for Android. It can be found on F-Droid.
If this ever gets implemented please allow to disable it.
please please please add this
Sending a code through email might be just as secure in place of 2FA authenticator codes, because most email providers provide 2FA as a security measure.
However, it should be optional in Settings rather than default, as the ease of use will be negatively impacted if it’s not simple password-only.
Passkey support would be nice, but I’d settle with 2FA.
Yubikey please!
Sending a code through email sounds good.
It’s simple & proven reliable.
And ofc it’s an optional and opt-in feature.
Honestly I think 2fA for a blog is completely overdoing it.
Just use good passwords. And if you need more, you could use OTP or email to verify.
@nullfound & Anonymous: Please remember we’re talking about access to a blog. Not online banking or some seriously discrete stuff.
Some people use blogs and want to remain anonymous. There’s no IP log and no way to know if our account has been accessed by an unauthorized party, because there are no verification orders for logins.
It would be perfect to have an opt-in option to verify using email, because email often provides 2FA by default, so we’d have
login to bear –> email <– 2FA
That’s a good idea!
I guess you mean a one time passphrase that’s sent via E-Mail in order to complete the login.
This is a proven workflow which works quite well if you have a working email setup.
Some platforms actually don’t have passwords at all. They send you a one time passphrase via mail every time you login.
I would like to see at least email send code as an optional security measurement for login. 2FA would be also nice though
Coming here as a new user, I’d appreciate some more security for my personal site. My emails is linked to the same domain so the reputation is important for me to manage.
@Kaizen Have you ever had breaches in accounts where you set a secure password?
Thousands of examples of that …
Then it was either not a very secure password ~ or the issue wasn’t the password but the server side security.
⪧⩫·⩫·⩫·⩫·⩫·⩫·⩫·⩫·⩫·⩫·⩫·⩫·⩫·⩫·⩫·⩫·⩫·⩫⪦
Do you really think all that cases where accounts on big platforms were infiltrated multiple times were mere brute-force attacks?
The Companies behind theese Platforms try to conceal information as best as they can. But when suddenly a huge percentage of all accounts get infiltrated no matter the password quality, you can be pretty certain that someone managed to infiltrate their infrastructure (loop-hole).
If you remember the cause with Google Accounts about 4 ~ 6 years ago. Almost everyone I talked to had logs and warnings of strangers logging into their Google Account.
Once I got such a message 2 minutes after I changed my password.
⪧⩫·⩫·⩫·⩫·⩫·⩫·⩫·⩫·⩫·⩫·⩫·⩫·⩫·⩫·⩫·⩫·⩫·⩫⪦
After all that: Do you really want to tell me that a password in itself is too weak?
If it get’s infiltrated, it probably wasn’t that good.
And don’t forget: This is a very small blogging platform.
Really nothing crazy or of great interest to breach into.
If you attract people who try to harm you with the kind of work you do ~ or how you do it ~ it’s your responsibility to change it.
Even if we’re talking about Journalists.
If you don’t create attack surface or reasons to attack you, there’s no one to harm you. And I can say from my own experience that this is absolutely possible while still retaining the freedom to unfold, grow, and do things your way.
Cheers
As an example, I provide people I don’t know with many information about me freely.
They technically could possibly use that to try to harm me.
But they won’t.
Simply because the way I communicate would not even get them the idea of doing harm. The exact reason is not easy to put in short terms. You could say it’s a subconcious psychological principle ~ but in reality it’s much more than that.
————————
You could also say that the issue with people getting attacked lies within their own mindset. But it may take time to realize that in life.