Native sign-in with multi-factor authentication (MFA)

[adam-hurwitz]

About

Native sign-in with MFA allows for the user to own their account and data with maximum security. This aligns with the open-source values of HackMD.

User flow

1. Create a HackMD account with a native username, password, and email. (Not using a third-party sign in like Twitter or GitHub).
2. Under Settings, set up multi-factor authentication (MFA) or two-factor authentication (TFA) a. Choose type of MFA: FIDO2 with a hardware device like a Yubikey or OATH-TOTP with an app like Yubico Authenticator, email, or phone number.

Alternative

Migrate an account's native sign-in from username and password to third-party sign-in for MFA

• By switching from native sign-in to a third-party sign that has MFA setup adds an extra layer of security in case the password is leaked or hacked.
• However, the user then must rely on the third-party service for their entire account data.

[jackycute]

Hi @AdamSHurwitz, Thanks for giving us idea, we will let our team know this. It is important for us to provide MFA for users to protect their account, we will investigate solutions.

[adam-hurwitz]

Much appreciated @jackycute!

I will use a third-party service in the meantime in order to have MFA protection. Also, I've reached out to support@hackmd.io with a related security vulnerability.