-
Notifications
You must be signed in to change notification settings - Fork 10.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[NEW] Two Factor authentication via email #15949
Conversation
Please, don't. Not by default. Does this mean the admin has to use 2FA before they can even login?? You have the related issue here: Systems where email is either not used, or is broken on setup etc etc. And in any event, isn't the goal of Rocket.Chat to REPLACE email entirely?? This is completely at odds with that policy (I have no idea on the solution, but this isn't it) |
@reetp thanks for the feedback, lets make some points clear.
|
# Conflicts: # package-lock.json
Isn't that the administrators choice, not yours? By all means add an option, but please stop making these things compulsory and let admins decide how they want to manage their servers
Except you make a hard dependency on email for your 'security' when your clear direction was to replace email. Take a look at your own home page on your website. I am clearly missing something here.
Am I blind? Or maybe you need to change your website? It is totally illogical. Forcing these sorts of things don't make Rocket any more secure because it will just get turned off by those who don't want it. Or are you going to remove that choice as well next? That then goes along with the issues in #15880 where an admin cannot set password that he wants. You are making email completely essential when you are selling a product that is supposed to make email redundant. |
Ahh - and this needs implementing too because there are plenty of users who block ALL html mail and your current emails insist on being html only. RocketChat/feature-requests#187 So no text mails means no mentions, no password resets, no 2FA..... |
@reetp let me explain it again.
It's an admin choice! There will be an option to disable it on the admin and even on the wizard as you can see in my last comment and the issue description!
We don't want to kill email but replace it in the communication area, it's important for other reasons, and one of those reasons is security, you use it to reset your password, to receive notifications of profile changes, etc. If you enable 2fa via google authenticator you will not need to use email for that. If you don't want the 2fa you can disable it, it's up to you and your administrator. I hope it makes clear our relationship with the future of communication and emails.
We always provide choices for the users, it's really hard to find cases where we don't, be enabled by default (for new installations) doesn't mean it will be enforced, just suggested as good practice. And yes, it will help people to make their installations more secure, if they don't want that feature it's their choice to actively disable it.
We are solving this in another way, be able to set the plain password can be a good thing for a few ones but a huge security problem for the majority. Since we value our security we focus on the majority without leaving the minority alone, we will provide a way to create personal access tokens for bots soon.
We are not! Again, you can disable it, use another 2FA solution or just do not verify yours email. We will have other additions on top of this one, like 2FA via push notifications, via SMS, etc. This is the basis for the future.
This is a good feedback, thanks, lets fix this, I didn't even know it was an issue. Thanks. |
# Conflicts: # .eslintrc # package-lock.json # package.json
# Conflicts: # app/api/server/api.js # client/components/setupWizard/steps/SettingsBasedStep.js # package-lock.json # server/startup/migrations/index.js # server/startup/migrations/v172.js
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
changing something on profile page requires a password or a 2fa code to be provided.. if the wrong password or 2fa code is provided, the following error is shown:
providing the wrong password when trying to disable two factor by email on My account > security shows "undefined" as error:
https://recordit.co/EF5s0GzdSLa
Co-Authored-By: Diego Sampaio <chinello@gmail.com>
created a PR to our docs regarding the new param of the generate token endpoint https://github.com/RocketChat/docs/pull/1649 |
Documentation:
https://github.com/RocketChat/docs/pull/1554
Depends on
#15979
Todo
extras