samuelclay / NewsBlur

NewsBlur is a personal news reader that brings people together to talk about the world. A new sound of an old instrument.
http://www.newsblur.com
MIT License
6.92k stars 1k forks source link

Backend: Two-factor authentication (2FA) #1647

Open shuvashish76 opened 2 years ago

shuvashish76 commented 2 years ago

Newsblur isn't just a Newsreader. From our read articles, likes (intelligence trainer), notification preferences it can reveal everything from a person’s political and religious beliefs to sexual orientation and medical conditions etc...

I'd suggest to add 2FA extra security for Newsblur accounts as 2FA very common these days & easy to setup.

samuelclay commented 2 years ago

Oh man, you're hitting all the long-time goals with this series of tickets. Do you work as a Product Manager by any chance?

I'm working on #1576 and the premium pro tier could use 2FA.

shuvashish76 commented 2 years ago

Do you work as a Product Manager by any chance?

😅 Nah, I'm not a dev or project manager. I post my suggestions what I feel is missing & as user of opensource projects our job is to convince the developer with all the details we can gather. There are no deadlines in OSS development. So feature priority totally upto you :)

RubenCordeiro commented 2 years ago

+1 for this, my only comment here:

If you lost access to your authentication codes, you can also do a password reset via email.

That would sort of defeat the purpose of two factor authentication in a way, since an attacker could hijack your account by having access to one of your authentication factors. A better way in my opinion would be to generate recovery codes upon setup, similarly to what many platforms provide. Biggest issue here would be the level of support required in case someone loses access to their device, but since @samuelclay is thinking about offering this feature to a premium tier this could be a valid concession.