2-Factor Authentication Support #1071
Comments
|
I'm no programmer, but I can say that 2FA is needed. The problem is what kind of 2FA will be implement. There four types of 2FAs: email-based, SMS-based, authenticator-based and FIDO-key-based. Out of all four 2FA methods, SMS-based is the least secure method because it is known to be vulnerable to SIM Swap Attacks, and operating the SMS-based 2FA can be costly. My suggestion would be implement only the email-based, authenticator-based and FIDO-key-based methods. |
ghost
mentioned this issue
|
Any news regarding this? |
|
Yeah make this a priority please |
|
This needs to happen ASAP. We can't have a social network without 2FA. Put this before federation. |
Strong agree, especially in a time where governments are scrutinizing the security of social media platforms. |
|
OAuth needs to be implemented before 2FA can be added. In this post @/dholms said:
The Bluesky team are in the process of implementing OAuth, especially @/matthieusieben in this PR. |
Please warn here once is live (because I recently successfully removed all services that do not have 2FA from the one I use, so for me it's a deal breaker (for now) :) |
@surfdude29 I appreciate the update! I don't mean to come off as pushy. I am greatly appreciative of the work you all do |
@Eutropios No worries! Fwiw your comment didn't come off as pushy to me, and I agree it's very important for Bluesky to implement 2FA as soon as they can. Also, just to clarify, I make small contributions every now and then, but I'm not part of the Bluesky team or anything, I just thought it might be helpful to pass on here the latest that I'd heard about 2FA :) |
I signed on just to second this — especially for authenticator-based/OTP 2FA. |
|
Quick update for those following, @/pfrazee posted just over an hour ago:
The email auth factor landed in #3602 and the relevant atproto PRs look to be bluesky-social/atproto#2416 and bluesky-social/atproto#2419. |
|
Another quick update, 2FA using email is now available on the web 🎉 I tried it and it worked great 👌 Just something to be aware of though, if you enable it now on the web, it won't be possible for you to log in using the iOS or Android app until you have the 1.79 update (unless you disable 2FA on the web first, of course). The 1.79 update is currently awaiting review by the app stores and will hopefully be available in the next few days. |
|
The 1.79 update is now rolling out in the app stores with 2FA via email 🚀 (last update from me, sorry for sending so many) |
Thanks for the head up, but it will be without me on email as not secure, hope you will not do the same mistake ok more secure one (webauthn/passkey to "hide" it behind otp) But congratulations for this first step ! |
As simple head up any news over the SSO (for more advanced 2FA ?) |
@/bnewbold said on 4 June about OAuth:
@/matthieusieben is still hard at work, putting what are hopefully finishing touches on the OAuth implementation – the latest PR is here: bluesky-social/atproto#2483 |
|
I'd like to ask if OATH-TOTP or passkey (webauthn) support is being considered? |
|
Hello, just wondering if there's any news on TOTP support coming as there's not been a team update on this issue since June. Thanks! |
|
I'd definitely like to see something like this as well. Email-2FA in my opinion is one of the weakest forms of 2FA, because there's only one account to hack (your email) and the attacker can then both reset your password and receive the login token. SMS is insecure as well and not everyone wants to give Bluesky their phone number. I'd like to see TOTP support in the near future so people can use authenticator apps for a true 2nd factor (email isn't one), and WebAuthn / FIDO2 support in the far future. |
|
Adding my support for this as well. With the platform growing at such rapid rates, it's just a matter of time for us to start hearing the horror stories of lost accounts and identity scams. This is not only a crucial security feature by itself, it's also a very clear money save for Bsky in support tickets for these kinds of issues. With robust 2FA, it's guaranteed to reduce it tenfold. Also, mentioning this issue, as it seems for self-hosted PDS's, not even email 2FA is supported, which is very concerning. |
I doubt that. Way too many people are too stupid to know that "You have to backup your recovery keys" means that they have to really, actually backup their recovery keys, and then they'll come whine to the support when they lose their only registered Authenticator and can't access their account anymore. When they do add proper 2FA, I hope that A) they make it crystal clear that you need to backup your 2FA restore keys (and IMO they should enforce that by asking you for one of the recovery keys like a week after you enabled 2FA to make sure you actually have these stored), and B) they need to implement it like Gitlab who refuses to have support reset the 2FA data for any reason, or at least have a looong waiting / verification process to get 2FA disabled. If all you need to do is send a message to the support to get 2FA disabled again, then you might as well skip it, because it would yet again mean that control over the email account alone would also mean control over the Bluesky account. An attacker who gets access to the email account but not the 2FA authenticator could then just contact Bluesky to reset it, which voids the entire purpose of 2FA. |
I get what you're saying, and I agree to some extent, but in my experience the great majority of attacks like these stop at the "please put in your 2FA codes". As much as people are prone to not backing up recovery codes, they are even more prone to using insecure, leaked passwords for both their accounts and emails, which a proper 2FA flow stops (especially if well enforced). The fact an attacker would have to go the extra mile to contact support and socially engineer their attack adds a layer that, IMO, does stop a multitude of way simpler "try the leaked password from the 1000th leak list" method. |
If you want serious people to use BlueSky you had better have more robust 2FA. There are numerous examples in lots of platforms particularly X where significant accounts and businesses were compromised by sim swap attacks and email takeovers (sometimes backed by a sim-swap). Yes there will be users who lose their backup codes. But if you want government accounts, companies, and individual users with large followings to know that they aren't going to have some yahoo take over their account and start spewing crypto spam, abuse material, or in the case of companies actually try to move financial markets. I would like to see support for:
|
I agree completely. My response was to address the reply that 2FA not being useful if there's no enforcement when people can email the company and just deactivated, which there is validity to that claim, but IMO we shouldn't give up on 2FA because of it. Quite the contrary, there must be a firm stance on accounts that lost keys will not recover access and that's just that. In fact, Bsky is already very clear in if you lose your account doing say, a badly executed PDS Account Migration, that it leads to loss of data / access and they can do nothing about it. So it seems like this is already their stance. +1 to all the features you listed. |
|
Please vote 👍 if you would like to see support for: Passkeys |
|
👍 to MFA generally, and Authenticator apps of choice more specifically. This is the kind of thing that heads off problems in the long run, and with the recent explosion in the user base i suspect that soon, we will either be glad it exists or very much regret that it doesn’t. |
|
+1 on TOTP |
|
Strong +1 for TOTP |
|
Used my GitHub passkey to sign in to upvote this and it was so stupidly easy. How often do you get a security win AND a UX win at the same time? Passkeys ASAP please! |
|
As Bluesky’s user base grows, robust authentication like passkeys and OATH-TOTP become crucial. Email verification is a good start, but isn’t foolproof—emails can be compromised, leading to breaches. Passkeys offer a more secure, user-friendly authentication, reducing weak or reused passwords. However, these methods can be complex for some users and may create entry barriers. Despite that, enhancing security is very important for protecting data and trust as Bluesky expands. I ask that we balance usability with security to ensure ongoing success in an increasingly targeted digital space. |
|
Yes please. And echoing a previous comment, please avoid SMS based 2FA. Not secure enough in the presence of SIM swap fraud. |
|
There is also another issue specifically for passkeys: #1164 This is now the 7th most requested feature. Please vote 👍 |
|
I would like to see OATH TOTP MFA at minimum aka App based MFA. I personally use Yubikeys which are a hardware security (FIDO/WebAuthn) key primarily. Been using my Yubikeys to login to my Mastodon and even Twitter for years. I would love to see Yubikey support. Let's completely avoid SMS MFA it's insecure and also costs money for the server provider. SMS MFA isn't even an option in Mastodon as well. I do use the Email MFA but Email it's not a really secure medium either and my email security I add to my system can delay it up to 10 minutes sometimes during analysis. So it's a really annoying inconvenience compared to a Yubikey. P.S. I used my Yubikey to login and vote for this |
|
This is holding me back from being able to recommend this platform. |
|
It's particularly concerning that this issue has been marked as "on the roadmap" back in August 2023. How is decent MFA not considered one of the highest priorities? |
|
Authenticator Passkeys and FIDO/hardware support please :D |
|
Passkeys are needed ASAP. |
|
+1 on MFA options. |
|
Passkeys No SMS |
|
I recognise this is another comment, but in the interest of reducing spam for maintainers and others watching this issue, can people please do a 👍🏼 reaction on the issue itself, rather than leaving new comments supporting this feature?
This won't spam notifications out to everyone, and will also increase the rank of this issue in the tracker. There are also multiple comments supporting passkeys or against SMS, consider adding a 👍🏼 reaction to one of those, rather than leaving a new comment which again spams others. Thank-you and sorry for being the grouchy old man in this issue! Love to all! ❤️ |
|
My prior comment was intended to provide a rough order of priority to MFA implementations. I see that I wasn't clear about that. My apologies for that. Please refrain from calling user feedback "SPAM". It's quite off putting. |
Sorry, wasn't trying to put you off @ericjmorey. Just making a general comment and wasn't thinking of your comment in particular. All good. |
Also, while I agree with the sentiment, people voicing their support in new comments does a lot to emphasize how wanted a feature is, especially when people (like in this case) share their experiences with the different types of MFA they engage with. You can always unsubscribe to the thread to stop being notified. I think it's important that the devs are also notified and see how desired certain issues are. As a repo maintainer myself, marking reactions is good, but it's when people open and reply to issues that I usually see them. |
|
This is absolutely necessary, as the importance of bluesky increases, so will the incentives for bad actors to compromise accounts. |
If anyone is concerned about spam, they can simply customize the notifications they receive:
|
|
+1 to this |
|
It is the end of 2024, nearly 2025. MFA is no longer optional. With the massive increase in users, Blue Sky is a cyber target. Blue Sky Development - Add MFA ==NOW==. |
NO - this is too important and too urgent. Make noise and flare. |
|
At the risk of contributing to the annoyance...
There's no way to differentiate between meaningful updates from the team in this issue and us general users who just want a feature. Use the reactions and reduce the noise-to-signal ratio. All that said: Devs, could we get an update on when this is likely to land? Or a summary of what still needs to happen before it does? |
and others
Is your feature request related to a problem? Please describe.
2Factor authentication is generally a very handy feature for security purposes as passwords and logins sometimes fail. 2Factor Authentication has become a very common addition to the login suite for protection.
Describe the solution you'd like
Implementation and support of some kind of 2FA support for accounts
*Describe alternatives you've considered
Didn't have anything in mind particularly, just thinking of security lock downs on user accounts
The text was updated successfully, but these errors were encountered: