Replies: 70 comments 5 replies
-
To do a sensible job of this we should probably have a seperate 3PID verification service, as proposed in matrix-org/synapse#1710. |
Beta Was this translation helpful? Give feedback.
-
Is there any update on the work for this or anything? |
Beta Was this translation helpful? Give feedback.
-
Another crucial option would be via X.509, which would allow a large array of existing authentication methods to be used transparently. |
Beta Was this translation helpful? Give feedback.
-
Relevant: matrix-org/olm#5 |
Beta Was this translation helpful? Give feedback.
-
RFC6238. Then people can use Google Authenticator, Authy, LastPass Authenticator, or pretty much any other standard 2FA app. |
Beta Was this translation helpful? Give feedback.
-
I'd really like to see Fido U2F like it's implemented by Yubico etc. |
Beta Was this translation helpful? Give feedback.
-
I strongly second U2F. It is well tested, standard, built to withstand phishing attacks, and never exposes any secrets to system memory. |
Beta Was this translation helpful? Give feedback.
-
Correct me if I'm wrong but wouldn't this require it to be implemented in a Matrix implementation rather than Riot? Matrix would have to support U2F, with Riot just passing on the authentication request. |
Beta Was this translation helpful? Give feedback.
-
@RyanSquared It would need to be implemented in a both the UI and the authentication server IIRC. |
Beta Was this translation helpful? Give feedback.
-
So if it needs to be implemented on a backend server as well, is there a relevant issue for U2F or other 2FA methods on a backend server (or for the protocol)? |
Beta Was this translation helpful? Give feedback.
-
+1 for U2F |
Beta Was this translation helpful? Give feedback.
-
this is starting to get more urgent with the advent of cryptocommunities and other security-focused communities embracing Matrix. need to check out U2F and how it compares to TOTP and friends. |
Beta Was this translation helpful? Give feedback.
-
FYI, Firefox does not support U2F out of the box currently, but it was added to nightly last week, so should hopefully land at some point in the not too distant future. |
Beta Was this translation helpful? Give feedback.
-
I'd say it's not "last week", based on this article: https://www.yubico.com/2017/09/firefox-nightly-enables-support-fido-u2f-security-keys/ |
Beta Was this translation helpful? Give feedback.
-
Before Firefox 57 you can use an addon for Firefox to use U2F. I currently use U2F without any addons in Firefox 57 Beta. According to their release schedules, they release Firefox 57 on 2017-10-14 (https://wiki.mozilla.org/RapidRelease/Calendar). I had to enable it manually though. |
Beta Was this translation helpful? Give feedback.
-
I'd like to point out that I have an outstanding feature request that I reported for TLS / X.509 client certificate authentication. If implemented, it would require no change at all to Synapse, Dendrite, or the Matrix protocol, and would still provide an additional factor of very robust, well-understood authentication. |
Beta Was this translation helpful? Give feedback.
-
I believe a TLS certificate would not be what a regular user expects from a platform offering MFA. By looking at the comments in this issue it is clear that TOTP, U2F and FIDO2 / WebAuthn are prefered methods. |
Beta Was this translation helpful? Give feedback.
-
SMS is not 2FA, everyone with an SS7 account can listen to the messages. Email is unencrypted. What about TOTP? Let's just stick to well-established standards. https://tools.ietf.org/html/rfc6238 Standards ftw! |
Beta Was this translation helpful? Give feedback.
-
Obligatory response: https://xkcd.com/927/ |
Beta Was this translation helpful? Give feedback.
-
TOTP would be nice if added |
Beta Was this translation helpful? Give feedback.
-
Since 2016.. and counting |
Beta Was this translation helpful? Give feedback.
-
TOTP? FreeOTP, Aegis, Google Authenticator, hardware OTP? |
Beta Was this translation helpful? Give feedback.
-
I believe the intent was to use the second device, already signed into Matrix, as a 2FA method. |
Beta Was this translation helpful? Give feedback.
-
Hi guys! I just read this topic, and I'm quite interested! Do we have any updates on the 2FA? Is it still under discussion or is it in production? |
Beta Was this translation helpful? Give feedback.
-
I think Element has given up on this and moved the issue to https://areweoidcyet.com/ 2FA/MFA currently depends on login system of your homeserver |
Beta Was this translation helpful? Give feedback.
-
Steal a device or get access for half a minute, add a device... This does not seem to be a good idea. I'd go with WebAuthn instead. Or alternatively a way to disable this and require entering the password to enable this again. |
Beta Was this translation helpful? Give feedback.
-
Also, WebAuthn. The standard many sites now adopt. Much better than TOTP, but for the users that don't have a WebAuthn device, TOTP is still better than no 2FA at all. |
Beta Was this translation helpful? Give feedback.
-
OIDC seems to be the way forward (for synapse, dendrite just dropped PR for OIDC). So make sure you pick an auth provider that supports 2FA. https://areweoidcyet.com/ . WebAuthn is supported by a very wide range of devices since google/apple/microsoft passkeys are built on top of webauthn. |
Beta Was this translation helpful? Give feedback.
-
Is there any update on this type of FIDO2/WebAuthn authentication? |
Beta Was this translation helpful? Give feedback.
-
Still no 2FA support and it's been almost 8 years since this was requested for the first time. What a joke. |
Beta Was this translation helpful? Give feedback.
-
When I log in (using a username/password or 3PID/password combo), we should give users the option to also require a two factor authentication (or multi-factor authentication) via other channels. Options are:
Beta Was this translation helpful? Give feedback.
All reactions