Multi-factor authentication #14
Comments
|
Tracking this with the Netlify team - we will see if we can add this and merge it into their server. We're in the process of catching up our UI to GoTrue's full API potential, so this will likely be a task for next month's release. |
|
I'm moving this to our GoTrue fork - let's see if we can do this during Hacktoberfest 🚢 |
|
any ETA? :D |
|
Any plans to support WebAuthm? |
|
Hello ! I'm using Supabase since some months and I love it ! I'm dealing with crypto and exchanges API on my website, so naturally some of my users asked for a 2FA and by searching how to do it I found this issue, so I'm here to confirmed the need of a 2FA for supabase sign in ✅ I thought about doing my own TOTP system but it cannot be secure enough since Supabase will always give the accessToken with a proper email and a password given to it. That's all, thank you for the great work 👋 |
|
I love supabase too, the only reason i`m not using it for my current project is because the lack of MFA. Any ETA? |
|
We're working on it! Out of curiosity, which aspect of MFA are you hoping to integrate(e.g. TOTP authenticator, SMS, email)? Can't say much but there'll be updates on the feature before our next launch so keep your eyes peeled for then... 👀 |
|
I hope for TOTP authenticator, because that more independent so that more secure and doesn't need to waiting message to be received. |
|
Just came here from the blog post and wanted to voice my support specifically for TOTP and especially WebAuthn. A long term stretch of being able to fire off a push notification would be awesome too, but I don't think it's as easy or reasonable to implement. Okta has a pretty nice breakdown of the various MFA security options available today: https://help.okta.com/en-us/Content/Topics/Security/mfa/about-mfa.htm |
|
@RichiCoder1 We've noted your feedback -- the table in the link you've provided gives quite a nice comparison so thanks for that! |
|
When your users use a Social Provider (e.g. Login with Google) to access your services via Supabase, shouldn't MFA work (on the Social Provider side), if the Social Provider supports it? E.g. when we talk about Google as Social Provider, you'd enable MFA in the Cloud Console (https://cloud.google.com/identity-platform/docs/web/mfa) |
|
Hey @steffenstolze yup you are right, if you have MFA enabled on the Social Provider and you are logging in with your social provider then you will have to use MFA. However, this wouldn't cover all cases(e.g. email/password) which may be needed for compliance purposes or general security reasons |
|
@J0 Absolutely! A complete solution that covers all use cases would be the best, of course 👌🏻 |
|
Is the 2FA feature ready yet? I am building a system that needs 2FA and was wondering if the GoTrue API has this feature or should I use something else like ORY/Kratos? |
|
Hey everyone, @J0 is working on this feature in gotrue and you guys can check out the |
|
Hey team, Going to close this issue since TOTP MFA has landed in prod. If anyone has issues please feel free to reach out. Thanks! |
|
For Webauthn MFA and Passkey support please follow #92 |
|
Since initial feature request mentioned U2F, just a question, is it going to be implemented? |
|
hi @tomekit, it's on the roadmap but we don't have a timeline for this yet as we are prioritising other features such as webhooks / anonymous logins over U2F right now |
|
Bump? Would be a nice feature to just have FIDO on Supabase itself... log into Supabase via FIDO |
|
Hey @ProductOfAmerica, Thanks for the feedback - could we trouble you to head over to #92 to add feedback and/or thoughts instead? |
I'm submitting a ...
Summary
MFA would be a very nice addition to the
authmodule.Here are two standards that I think should be supported:
The text was updated successfully, but these errors were encountered: