Add Two-factor Authentication (2FA)

[ghost]

Description

I believe you are already aware about what I am trying to suggest here. 2FA plays a major role in improving the security of an account on Social Media sites (nowadays, it is very much needed on every platform which has accounts). 2FA using a third party mobile app like Aegis, AndOTP, Google Authenticator, Authy etc is a very good security feature imo. Reddit also has it and it would be really nice to see it on Lemmy.

---

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[dessalines]

We have wayyy too many other things on our plate right now, but if someone else wants to take a crack at it go ahead.

[StaticallyTypedRice]

Just curious, what kind of 2FA are everyone most interested in? Email? Text? Authenticator app?

[ghost]

I personally prefer Authenticator App (and sometimes Text) over Email because if your Email is compromised, 2FA can do nothing. In case of Authenticator app, you can locally store the tokens instead of relying on a cloud service and in case of Text, only you have your SIM card. Ofcourse there are various ways to steal Tokens and Text messages but they are much difficult compared to Email.

[Mart-Bogdan]

Relates to #1368

PS. Doesn't using google authenticator go against Federation ideas?

[ghost]

Relates to #1368

PS. Doesn't using google authenticator go against Federation ideas?

Google authenticator only stores the tokens just like any other 2FA app. How is it against federation? It isn't affecting decentralisation and federation for Lemmy at least. Also I only used it as an example because I think most people know about it unlike other FOSS 2FA apps like Aegis.

[Mart-Bogdan]

Google authenticator only stores the tokens just like any other 2FA app. How is it against federation?

Actually my bad. I thought the backend needs to talk to the google server, to verify TOTP.

It seems it could be made offline.

I am wondering are there available libs that are supporting different 2fa providers at the same time like Aegis, AndOTP, GoogleAuthnticator etc? it don't have to be in Rust

[TheEvilSkeleton]

I'm pretty sure Computerphile explains how 2FA works: https://www.youtube.com/watch?v=ZXFYT-BG2So

[Kellegram]

Google authenticator only stores the tokens just like any other 2FA app. How is it against federation?

Actually my bad. I thought the backend needs to talk to the google server, to verify TOTP.

It seems it could be made offline.

I am wondering are there available libs that are supporting different 2fa providers at the same time like Aegis, AndOTP, GoogleAuthnticator etc? it don't have to be in Rust

All 2FA apps will work, it's a standard.

[StaticallyTypedRice]

Relates to #1368

PS. Doesn't using google authenticator go against Federation ideas?

The authenticator protocol is an open standard I'm pretty sure. There are fully open source authenticator apps

[TheEvilSkeleton]

I'm really surprised this isn't a priority to be honest.

[dessalines]

We have about 100 other priorities for lemmy. But this is an open source project, anyone is free to take a crack at it.

[Nutomic]

I had to hide some comments for being off topic. If what you write doesnt bring us closer to implement the feature, then it probably doesnt belong on the issue tracker. As mentioned by @dessalines, we have a lot of tasks that are more important than 2FA. If that is a problem for you, then dont use Lemmy for now.

[LiftedStarfish]

Can somebody reopen this issue? Lemmy still does not have 2FA, and the user who opened it has been deleted.