kennethjiang
commented
4 years ago It is a very good point. And a PR will be really appreciated! :)
Open as-kholin opened 4 years ago
kennethjiang
commented
4 years ago It is a very good point. And a PR will be really appreciated! :)
donicrosby
commented
3 years ago There's already a Django library https://github.com/Bouke/django-two-factor-auth (MIT Licensed) that you could use that has everything that you would want for this issue. I can implement this and make a PR if it's acceptable to use this 3rd party library.
kennethjiang
commented
3 years ago Of course we can use 3rd party lib. We are using a ton of them. :)
Yes a PR will be very welcome!
GJSchaller
commented
9 months ago Checking back on this, is there any way a non-technical person can help?
For various (good) reasons, Octoprint is recommended to not be made available directly on the Internet (unless compensating controls are added). Especially with tunneling, if someones TSD account gets hacked, then they have effectively done just that. Not saying that TSD does not add some security, only that people being people, chances are this will happen to at least some due to poor password management procedures.
While we cannot prevent that entirely, we can make it materially harder to occur by allowing (or possibly, in the case of tunneling, requiring) 2-Factor Authentication/Multi-factor Authentication.
Request enhancement to add at least TOTP (Google Authenticator, Twilio Authy, etc), possibly including some other 2FA mechanisms (U2F, FIDO2, Yubikey, etc). Defer to others if any sort of SMS auth is worth considering, given criticisms of this route vs. ubiquity.