2FA for logins

[ara4n]

When I log in (using a username/password or 3PID/password combo), we should give users the option to also require a two factor authentication (or multi-factor authentication) via other channels. Options are:

• 2FA by email
• 2FA by SMS (MSISDN)
• 2FA by matrix, using another device.

[Agorise]

"2FA by matrix, using another device." - This is definitely needed, especially by a "Verified" alternate device (text, emoji, etc).

[saintlux897]

Pls I tried imputing my password for got hub but it anit going

[MarcusWichelmann]

Please keep in mind, that FIDO2/WebAuthn also supports password-less single factor authentication using only your hardware key (and maybe an additional PIN to unlock the device). Would be great, if you could support this too so passwords are no longer needed. The concept of passwords as an identification secret is fundamentally broken, anyway.

This would of course require mechanisms to register multiple authentication devices or generate backup keys so one doesn't lock itself out when loosing a device.

[jans23]

Please keep in mind, that FIDO2/WebAuthn also supports password-less single factor authentication using only your hardware key (and maybe an additional PIN to unlock the device).

Once a PIN is required, it is two factor authentication.

[jtagcat]

jfyi It's the 'passwordless' movement you are defining.

In essence, it's just a more secure 1FA. The authentication merges to one factor during communication with the service.

Metaphorically speaking, if you have a key enclosed in a box, you open the box with a code to take out the key. You still use one key to open the door, as opposed to a keyhole and a pin on the door.

Nevertheless, PIN + hardware, considering most of the users and use cases, is still, likely to be more secure than just a passphrase/PIN.

[ara4n]

In case anyone is wondering why this hasn’t happened yet: we’ve found that most people who want 2FA are also using SSO, and so can use the SSO provider (keycloak etc) for this.

However, we still want to get it natively into Matrix, but it’s in the middle of the feature backlog.

[JonathanWilbur]

I'd like to point out that I have an outstanding feature request that I reported for TLS / X.509 client certificate authentication. If implemented, it would require no change at all to Synapse, Dendrite, or the Matrix protocol, and would still provide an additional factor of very robust, well-understood authentication.

[networkException]

I believe a TLS certificate would not be what a regular user expects from a platform offering MFA. By looking at the comments in this issue it is clear that TOTP, U2F and FIDO2 / WebAuthn are prefered methods.

[DC7IA]

• 2FA by email

• 2FA by SMS (MSISDN)

SMS is not 2FA, everyone with an SS7 account can listen to the messages.

Email is unencrypted.

What about TOTP?

Let's just stick to well-established standards.

https://tools.ietf.org/html/rfc6238

Standards ftw!

[mjeveritt]

Let's just stick to well-established standards.

https://tools.ietf.org/html/rfc6238

Standards ftw!

Obligatory response: https://xkcd.com/927/

[CoolGaM3r215]

TOTP would be nice if added

[thalesfsp]

Since 2016.. and counting

[SergeyDjam]

2FA by matrix, using another device.

TOTP? FreeOTP, Aegis, Google Authenticator, hardware OTP?

[RyanSquared]

2FA by matrix, using another device.

TOTP? FreeOTP, Aegis, Google Authenticator, hardware OTP?

I believe the intent was to use the second device, already signed into Matrix, as a 2FA method.

[Mikaela]

I think Element has given up on this and moved the issue to https://areweoidcyet.com/

2FA/MFA currently depends on login system of your homeserver

[erebion]

"2FA by matrix, using another device." - This is definitely needed, especially by a "Verified" alternate device (text, emoji, etc).

Steal a device or get access for half a minute, add a device... This does not seem to be a good idea. I'd go with WebAuthn instead.

Or alternatively a way to disable this and require entering the password to enable this again.

[erebion]

Also, WebAuthn. The standard many sites now adopt. Much better than TOTP, but for the users that don't have a WebAuthn device, TOTP is still better than no 2FA at all.

[ptman]

OIDC seems to be the way forward (for synapse, dendrite just dropped PR for OIDC). So make sure you pick an auth provider that supports 2FA. https://areweoidcyet.com/ . WebAuthn is supported by a very wide range of devices since google/apple/microsoft passkeys are built on top of webauthn.