2-Factor Authentication Support

[TheRipperoni]

Is your feature request related to a problem? Please describe.

2Factor authentication is generally a very handy feature for security purposes as passwords and logins sometimes fail. 2Factor Authentication has become a very common addition to the login suite for protection.

Describe the solution you'd like

Implementation and support of some kind of 2FA support for accounts

*Describe alternatives you've considered

Didn't have anything in mind particularly, just thinking of security lock downs on user accounts

[Yuuyatails]

I'm no programmer, but I can say that 2FA is needed. The problem is what kind of 2FA will be implement. There four types of 2FAs: email-based, SMS-based, authenticator-based and FIDO-key-based.

Out of all four 2FA methods, SMS-based is the least secure method because it is known to be vulnerable to SIM Swap Attacks, and operating the SMS-based 2FA can be costly.

My suggestion would be implement only the email-based, authenticator-based and FIDO-key-based methods.

[Zero3K]

Any news regarding this?

[ghost]

Yeah make this a priority please

[deviantsemicolon]

This needs to happen ASAP. We can't have a social network without 2FA. Put this before federation.

[Eutropios]

This needs to happen ASAP. We can't have a social network without 2FA. Put this before federation.

Strong agree, especially in a time where governments are scrutinizing the security of social media platforms.

[surfdude29]

OAuth needs to be implemented before 2FA can be added. In this post @/dholms said:

"OAuth is coming & will give us some good options for implementing 2fa 👌"

The Bluesky team are in the process of implementing OAuth, especially @/matthieusieben in this PR.

[ghost]

OAuth needs to be implemented before 2FA can be added. In this post @/dholms said:

"OAuth is coming & will give us some good options for implementing 2fa 👌"

The Bluesky team are in the process of implementing OAuth, especially @/matthieusieben in this PR.

Please warn here once is live (because I recently successfully removed all services that do not have 2FA from the one I use, so for me it's a deal breaker (for now) :) Will join once done.

[Eutropios]

OAuth needs to be implemented before 2FA can be added. In this post @/dholms said:

"OAuth is coming & will give us some good options for implementing 2fa 👌"

The Bluesky team are in the process of implementing OAuth, especially @/matthieusieben in this PR.

@surfdude29 I appreciate the update! I don't mean to come off as pushy. I am greatly appreciative of the work you all do

[surfdude29]

@surfdude29 I appreciate the update! I don't mean to come off as pushy. I am greatly appreciative of the work you all do

@Eutropios No worries! Fwiw your comment didn't come off as pushy to me, and I agree it's very important for Bluesky to implement 2FA as soon as they can.

Also, just to clarify, I make small contributions every now and then, but I'm not part of the Bluesky team or anything, I just thought it might be helpful to pass on here the latest that I'd heard about 2FA :)

[KenGoBlue]

@Yuuyatails My suggestion would be implement only the email-based, authenticator-based and FIDO-key-based methods.

I signed on just to second this — especially for authenticator-based/OTP 2FA.

[surfdude29]

Quick update for those following, @/pfrazee posted just over an hour ago:

An email-based 2FA will be in the next release, and more factors will come in the next few months after our OAuth layer lands

The email auth factor landed in #3602 and the relevant atproto PRs look to be https://github.com/bluesky-social/atproto/pull/2416 and https://github.com/bluesky-social/atproto/pull/2419.

[surfdude29]

Another quick update, 2FA using email is now available on the web 🎉

I tried it and it worked great 👌

Just something to be aware of though, if you enable it now on the web, it won't be possible for you to log in using the iOS or Android app until you have the 1.79 update (unless you disable 2FA on the web first, of course).

The 1.79 update is currently awaiting review by the app stores and will hopefully be available in the next few days.

[surfdude29]

The 1.79 update is now rolling out in the app stores with 2FA via email 🚀

(last update from me, sorry for sending so many)

[ghost]

The 1.79 update is now rolling out in the app stores with 2FA via email 🚀

(last update from me, sorry for sending so many)

Thanks for the head up, but it will be without me on email as not secure, hope you will not do the same mistake ok more secure one (webauthn/passkey to "hide" it behind otp)

But congratulations for this first step !

[ghost]

The 1.79 update is now rolling out in the app stores with 2FA via email 🚀

(last update from me, sorry for sending so many)

As simple head up any news over the SSO (for more advanced 2FA ?)

[surfdude29]

As simple head up any news over the SSO (for more advanced 2FA ?)

@/bnewbold said on 4 June about OAuth:

We don't commit to specific timelines publicly, but we have done a lot of work on it and it is finally coming together, will hopefully be rolling out in stages in the next few weeks.

@/matthieusieben is still hard at work, putting what are hopefully finishing touches on the OAuth implementation – the latest PR is here: https://github.com/bluesky-social/atproto/pull/2483

[meguroyama]

I'd like to ask if OATH-TOTP or passkey (webauthn) support is being considered?