Account: Add Support for 2-Factor Authentication

[swingstate]

I am thinking to host my pp instance behind a reverse proxy to allow colleagues etc. to access albums.

However, I think the lack of two-factor authentication is a "minus" for publically hosted / accessible instances. Hence my ask to add this as a near-term feature, at least for 2FA apps such as google authenticator / Authy (Google agnostic) / FreeOTP / Microsoft Authenticator to name a few.

Long term support for Authelia should be added to the backlog.

Security should go first and it would be a big plus for pp to have this on the feature list. :)

Screenshots

Settings > Account

Login with 2FA

[benmccann]

Another idea might be to support login via OAuth / OpenID providers such as Google, Apple, Microsoft, etc. This would probably be a prerequisite for connecting to the APIs of any of those providers. And it may also be helpful in the case where multi-user support is added as it may be easier to have friends or family login using their existing accounts rather than creating another one (login via local password creates its own challenges such as password reset). Those providers all offer 2FA, so depending on your needs that may accomplish support for 2FA in the process.

[krisnova]

After working on a Go client and building out an auth mechanism - as a security engineer I am willing to put in some free cycles to help out with an OAuth / 2FA implementation in the backend Go code. No idea when I will have time, but I am happy to help/fund if needed :)

[swingstate]

$128 donated, hope it helps to bring this feature to life.

[lastzero]

Thank you for your kind donation! 💐

As already answered in the chat, additional multi-user features have not been released yet. This is partly because a few unexpected issues like security vulnerabilities in Go and Log4j surfaced before Christmas and we have a zero bug policy.

They will be released when we deem them safe and bug-free. Besides providing support and fixing bugs discovered in the stable release, this is currently our highest priority.

When OpenID Connect integration has been released, two-factor authentication can be "enabled" by using a provider that supports it, for example Keycloak or Google.

We may later add a full, standalone user management to PhotoPrism, but don't see enough value in it at this time given the many other feature requests and ready-to-use user management solutions.

[bestrocker221]

In my opinion a key plus point of photoprism was the complete detachment from Google/Apple/whatever, so that you can completely be self reliant with no other providers. For many, privacy comes first.
In that way, a 2FA for locally managed accounts would be awesome!

[avm99963]

@bestrocker221 You could also use Keycloak (as mentioned by @lastzero) which is open-source and self-managed.

[NemesisRE]

or authentik

[Kvaksrud]

In a world of constant security challenges MFA is a must! Get a date set :)