New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement token-based 2FA authentication #5163
Comments
Any update on this? It is annoying to get the code via Email everytime. It woul d be easier to just implement 2FA using TOTP. |
There's no update, no. If there was an update it would be posted in this issue. |
Commenting about this... Using a 2FA app like Authy would be a good option for others, it’s also more convenient to do. So if people are not getting codes via email they atleast have a second option to choose from, like a 2FAS app. iirc it can still be the same codes we get through email (hybrid of numbers and letters) using Authy or any other app for 2FAS authentication. |
I'm not a fan of Authy, i just want to see the secret code in a qr code (or manual) then input that to something like Google Authenticator and use that code to generate Time based One Time Password (TOTP) that has 6 digits and 1 minute of expiry. Honestly, logging in to my e-mail just to confirm my login is a PITA. If you are wondering, the email provider does permit IMAP/SMTP access, that is why it is a PITA. And no, I am not switching email. |
I'd like to take a stab at implementing this. Is anyone working on it currently or is it free to take? |
has not been started yet; go for it! |
Just to make sure, we want both a token prompt when logging in if you have 2fa/totp enabled like on other websites, and also for it to replace the email verification in other places we use it, right? Also would like to know if we want to give people an option to fallback to email if they lose their authenticator, or not. |
I would have the fallback to email available for now, yes. We can decide to turn that off based on user feedback (or make it a toggle) in the future, but initial goals should be to improve convenience, not security (and support overhead after people lock themselves out). |
Branching this off #2862, as it's now related to the client-specific stuff.
We should have an option for users to use a TOTP-based two-factor authentication method, in addition for the current, email-based one.
The text was updated successfully, but these errors were encountered: