Multi-Factor Authentication

[chrisdeso]

Is your feature request related to a problem? Please describe. Add Multi-Factor Authentication as an option as an option for users/teams.

Describe the solution you'd like Two-factor authentication:

• Phone
• Authentication app
• Physical Key (YubiKey, Windows SmartCard, etc)

Additional context [Filed by Postman]

[stpete111]

This is an incredibly crucial feature for us. Unauthorized access to our Postman calls could lead to our entire architecture being brought down and disabled.

[codebymattllc]

Yes please add this feature! It's 2021 and literally every account I have is MFA except postman which is very important to me.

[ziegenberg]

It was suggested by the postman support to use 2FA with a Google account to log in, but that's not really an option if you don't want to or cannot use Google accounts. Implementing 2FA/MFA would be really nice. Simple software tokens (like TOTP) for starters and maybe hardware token (U2F) in a later iteration.

[lrzuniga]

2022 and no MFA...disturbing

[dev415]

We are going to have to stop using the tool until MFA is enabled.

[hvkooten]

Please implement MFA!

[romualdr]

+1 for this.

I can see that you've added a card in the public roadmap: https://github.com/postmanlabs/postman-app-support/projects/45#card-59042393

One question: what does "[entreprise/business]" mean in the title ? Does it mean this feature will only be available / paywalled only for business / entreprise ?

If so, please consider this option: "Allow every account to have MFA for their account, but make the 'Enforce MFA for my team' option only for entreprise / business."

MFA is basic security at this point and IMHO shouldn't be paywalled for private accounts, I think this options fits the best of both worlds.

Thank you for your consideration.

[cloudworkpro-sean]

Postman is a great product but this seems like a miss in the security strategy. MFA/2FA is standard in most modern services, particularly those that support software development. I agree with @romualdr in that this feature should be available to all plan levels.

Thanks!

[ProjectCleverWeb]

Would really love to have this feature! Even if it's just authenticator OTP support, any type of MFA would greatly help when it comes to security audits.

On a similar note, Authy (owned by Twilio) has really good support for this (and more) and even adds some features that are missing from both Google & Microsofts authenticator apps!

[EvertonMJunior]

Had to log into my Postman account in another computer today, and realized I didn't have MFA auth enabled. Got home, went searching for it, and it absolutely blew my mind that Postman had no support for it. It's really important to have another factor of authentication on a software that is used every day by millions with security credentials and sensitive info. And I second @romualdr , please don't make this a paid feature. It's a basic nowadays. A good idea would be, as he suggests:

"Allow every account to have MFA for their account, but make the 'Enforce MFA for my team' option only for entreprise / business."

Really looking forward to see new developments on this issue as soon as possible. My love for Postman would only increase! haha

[corsair400r]

add 2 step auth via codes, SMS anything

[mrthomaskim]

ditto, need MFA. anything is better than just typing the passwords

[djeraseit]

I have a Yubico hardware token and Google Authenticator on my mobile. I also use SMS.

I read the ebook about wanting to be the leader in the world of API's.

Not having a secure website is absolutely horrific.

In the mean time. Please do not login to the Postman site from:

1) Behind a proxy 2) Shared computer 3) Computer infected with malware 4) Computer with a key logger 5) Compromised device 6) Browser with malicious plugins 7) Compromised DNS server (can redirect to fake login screen) 8) Phishing email (can present fake login screen)

And cross your fingers the Postman password database isn't ever compromised.

[aumil]

In this day 2FA is a must. This is serious and very disturbing. It does not take much to implement Basic 2FA. Please do it sooner before you are compromised

[EvertonMJunior]

Any updates? This is a critical security feature, I'm not really comfortable with leaving API keys and other info on Environments while knowing a password is all the security there is.

[rhinck]

Yubikey 2FA would be important for our company as well

[Suhas-Gaikwad]

We are working on the MFA feature and will release it in September 2022.

[ziegenberg]

That's awesome news!

[TaDahCorp]

@Suhas-Gaikwad you mentioned MFA will release "in September 2022" on Aug 1. Even SMS will do. Are you still on target? Now that our security officers read CISA bulletins, they are circling like vultures around the developers' offices... ;-)

[EvertonMJunior]

Got the Postman v10 e-mail and thought it would include MFA. Nope... Will you be able to release it this month? @Suhas-Gaikwad

[wnelson03]

@codenirvana @abhijitkane @arlemi @numaanashraf @DannyDainton @shamasis @loopDelicious

c'mon guys it's been 4 years and this fundamental functionality has yet to be implemented.

It's one thing for a site like Spotify to not have 2FA, completely unacceptable for a site like Postman where requests to vital infrastructure are made.

[arlemi]

@wnelson03 This is something we're currently working on, hoping to release it this quarter. We'll keep everyone up to date here once we have more info to share!

[Suhas-Gaikwad]

Thank you for your patience with our upcoming 2FA feature. We are currently testing the feature internally and we'd love to give you early access. Please show your interest by emailing help@postman.com and we will enable it for your account.

[wnelson03]

Amazing. I was given access to 2FA after I sent them an email.

2FA is implemented very well. You guys even took the time to add the ability to copy the secret without needing to scan the QR code. A lot of websites don't do that.

Thank you, much appreciated.

[nikhilbadyal]

Thank you for your patience with our upcoming 2FA feature. We are currently testing the feature internally and we'd love to give you early access. Please show your interest by emailing help@postman.com and we will enable it for your account.

Great, I got access by sending an email and totally loved the implementation they did. Would love when it gets public.

[arlemi]

🔐 2FA is now available to everyone!

• Check the blog to learn more about the feature
• Watch this video to see how to enable it: