leo60228
commented
1 year ago I believe Modrinth has stated that they plan to allow enabling this on a per-author basis once they roll out their rewritten authentication.
Open adryd325 opened 1 year ago
leo60228
commented
1 year ago I believe Modrinth has stated that they plan to allow enabling this on a per-author basis once they roll out their rewritten authentication.
adryd325
commented
1 year ago Other platforms that allow uploading code for other users to execute (eg. NPM) require 2FA for all users. While 2FA is inconvinient, I believe it should be a requirement, not an optional thing.
leo60228
commented
1 year ago I'm not sure if it's possible to require this for SSO?
sylv256
commented
1 year ago I'm happy with this as long as there is an option to manually enter the key. I don't always have my phone on me, and it's annoying to have to open Bitwarden on my phone and capture the QR code my screen due to a design oversight. I'm not sure how in-scope this is, but hopefully it's implemented correctly. Maybe we could add some blanket requirements for implementation (e.g. no SMS/E-Mail auth)?
adryd325
commented
1 year ago I'm not sure if it's possible to require this for SSO?
The implementation would probably have to be entirely on the mod platform side without relying on auth partners.
I'm happy with this as long as there is an option to manually enter the key. I don't always have my phone on me, and it's annoying to have to open Bitwarden on my phone and capture the QR code my screen due to a design oversight. I'm not sure how in-scope this is, but hopefully it's implemented correctly. Maybe we could add some blanket requirements for implementation (e.g. no SMS/E-Mail auth)?
Completely agree with the displaying the secret part, there are so many reasons to display it; In my case its loading the 2FA secret onto a bunch of yubikeys. As for requirements for implementation: I'm not an expert with 2FA implementations so I probably wouldn't be the best for this
equiring TOTP or security keys for uploading artifacts could prevent attackers from uploading mods to compromised accounts in the event that a signing certificate is leaked; or if signing certificates aren't implemented, could also protect against credential stuffing
I mention specifically TOTP or physical security keys cause SMS 2FA is inaccessible to people without a consistent phone number and can be subject to sim swapping attacks. Email 2FA might also not be the best option cause those with reused passwords also likely reuse a password for their email.