Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Two-factor Authentication #5

Open
2 of 7 tasks
insertish opened this issue Sep 2, 2021 · 18 comments
Open
2 of 7 tasks

Two-factor Authentication #5

insertish opened this issue Sep 2, 2021 · 18 comments
Labels
enhancement New feature or request

Comments

@insertish
Copy link
Member

insertish commented Sep 2, 2021
edited

Add different MFA methods.

1FA

  • Add trusted handover / QR code login.

1FA (requires email specified)

  • Password
  • Add email OTP 1FA login.
  • Add security key 1FA login.

2FA (requires email + password specified)
@insertish insertish added this to the Version 1 milestone Sep 2, 2021
@josefbaltz
Copy link

Please make sure that you can't access your backup codes with your main account password ... Discord does this and a friend had an account stolen because of this flaw.

@stefanflegg
Copy link

Please make sure that you can't access your backup codes with your main account password ... Discord does this and a friend had an account stolen because of this flaw.

That's very interesting, I didn't know that about Discord. I understood backup codes are typically generated and displayed once only at creation time and can't be retrieved afterwards.

@telmobss1
Copy link

please don't do like discord to authenticate through google authenticator, because for those who format a smartphone it's a drag

@bonn2
Copy link

bonn2 commented Sep 23, 2021
edited

please don't do like discord to authenticate through google authenticator, because for those who format a smartphone it's a drag
@telmobss1

Discord uses the standard TOTP format, you can use other apps that manage those codes much better than google authenticator. Authy is a popular one

@telmobss1
Copy link

but this creates a lot of problems for some people,

Email account, phone number, and sending the code via messages or to the verification email are sufficient

@bonn2
Copy link

bonn2 commented Sep 24, 2021

@telmobss1 Codes sent like that are far less secure

@sussycatgirl
Copy link

but this creates a lot of problems for some people,

Email account, phone number, and sending the code via messages or to the verification email are sufficient

That's far less secure, especially SMS based codes (see SIM swapping for example).

TOTP is a great standard for 2FA, the problem is that most platforms tell people to use Google Authenticator which does not back your codes up properly, locking you out of your account if you lose your phone.

@errhammr
Copy link

errhammr commented Nov 7, 2021

Does Security Key 2FA Login mean FIDO2/U2F/WebAuthn or the proprietary YubiKey OTP "standard"? I'd much rather prefer the former because it's an open standard that many security dongles support while the latter is only supported by dongles of the YubiKey brand.

@fredster33
Copy link

I think maybe what @telmobss1 is hinting at is to not recommend Google Authenticator like Discord. I agree, something OSS should be recommended, like Authy

@Chew
Copy link

Chew commented Dec 24, 2021
edited

@errhammr I'm hoping for WebAuthn that seems the most like a protocol a lot of services would hop on, and allows built-in peripherals like Apple's Touch ID or Face ID and even Windows Hello. Logging in with my phone 2FA is pain, but if all I need is a fingerprint, it would be very nice. More importantly, it needs to support more than one method (of course)

Notable platforms that do this: Cloudflare, GitHub, I'm sure the list goes on.

@henry-fisher
Copy link

TOTP is a must and very happy to see it being considered! TOTP is meant to be an open standard, so it's probably best to avoid direct recommendations. "Scan with your authenticator app" is probably a better solution.

I think maybe what @telmobss1 is hinting at is to not recommend Google Authenticator like Discord. I agree, something OSS should be recommended, like Authy

Authy is not open source. Also please for the love of god let's not utilize an Authy-only TOTP solution like Twitch & Gemini have done. Just standard TOTP that is compatible with anything.

@fredster33
Copy link

TOTP is a must and very happy to see it being considered! TOTP is meant to be an open standard, so it's probably best to avoid direct recommendations. "Scan with your authenticator app" is probably a better solution.

I think maybe what @telmobss1 is hinting at is to not recommend Google Authenticator like Discord. I agree, something OSS should be recommended, like Authy

Authy is not open source. Also please for the love of god let's not utilize an Authy-only TOTP solution like Twitch & Gemini have done. Just standard TOTP that is compatible with anything.

My bad, Authy isn't open-source. This sounds even better, no direct reccomendations. We can probably link to a neutral list of auth apps (preferably only OSS ones) in case some users are just starting out with 2FA. I think that users should probably be nudged to 2FA as it's much more secure.

@person1234-ux
Copy link

Please make sure that you can't access your backup codes with your main account password ... Discord does this and a friend had an account stolen because of this flaw.

I respectfully disagree please keep that feature. The fact that your friends discord account was stole is their fault not discord fault.

@Chew
Copy link

Chew commented Mar 13, 2022

Discord is switching to requiring email confirmation for backup codes anyway...

Some services show you the backup codes once, but services like GitHub and Google let you view it whenever. Personally, I'm ambivalent, but it still needs to be easily accessible, if it is at all.

I do also disagree with the above user's attempt to use ad hominem to prove their point, it's still a valid point in terms of security. While it may have been caused by them, I still wouldn't put the blame on them, nor the fault of security on Discord's end (not that they particularly seem to care, despite them putting some effort, it's still disappointingly little).

@LokeYourC3PH
Copy link

Please make sure that you can't access your backup codes with your main account password ... Discord does this and a friend had an account stolen because of this flaw.

I respectfully disagree please keep that feature. The fact that your friends discord account was stole is their fault not discord fault.

I disagree with your disagreement, had my account stolen the same way by an automated script due to an exploit that existed in Discord a while ago. Discord support being ass and completely unhelpful, having not done anything. So I agree with the first poster: Do NOT let anyone access backup codes without Email Confirmation or at all once displayed the first time.

@insertish
Copy link
Member Author

insertish commented Jun 1, 2022
edited

In reply to the argument above:
I've decided the best way to go around this is to always enforce an MFA step before viewing (recovery codes) or changing security information. I'm currently planning out how I want to do this and will follow up relatively soon.

In reply to the security key stuff above:
I will be using WebAuthn.

@insertish
Copy link
Member Author

insertish commented Jun 1, 2022
edited

Also I wanted to mention, SMS 2FA will never be supported. It is an insecure standard and isn't worth the trouble.
(I also don't want to pay for per-SMS message)

@insertish
Copy link
Member Author

insertish commented Jun 4, 2022
edited

Implemented MFA flow, now writing tests:

@insertish insertish removed this from the Version 1 milestone Jun 4, 2022
@insertish insertish added the enhancement New feature or request label Oct 12, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests