2 factor authentication

[n00b12345]

Love everything about Shaarli. I've been using it for a few years now and it's been great.

Would you consider implementing 2FA?

[ArthurHoaro]

I'm not opposed to the idea.

It would require an email address and a SMTP server available.

[n00b12345]

@ArthurHoaro or a TOTP based solution could work too. It's probably a little more reliable than email.

[nicolasdanelon]

what about Google Authenticator ?

[n00b12345]

@nicolasdanelon absolutely! That's even better because it's more reliable.

[ArthurHoaro]

Does people actually use that? I always see SMS or email 2 factor auth, but I never stumble upon a website which requires a specific mobile app for authentication (except Steam, which use their own app).

[nicolasdanelon]

I use it but with gmail, bitstamp, bittrex.. maybe.. maybe it is an overkill for shaarli

[marcoskirsch]

Strictly speaking, SMS and email are not the most secure ways to do 2FA, but they are much better than not having it at all and one should also weight the requirements of a bookmark manager and simplicity of implementation. IMHO: whatever is easiest.

[n00b12345]

@ArthurHoaro these days you can use any app you want. Eg. Google authenticator, authy, 1Password etc.

[virtualtam]

Related: #341 - Yubikey support

[virtadpt]

I use a TOTP MFA application pretty frequently - I'm up to 25 services on it.

[jasonpearce]

Does people actually use that? I always see SMS or email 2 factor auth, but I never stumble upon a website which requires a specific mobile app for authentication (except Steam, which use their own app).

I greatly prefer Time-based One-time Passwords (TOTP). When given the choice of MFA/2FA options, this would be my order of preference and why:

• TOTP Software Token (best balance of security and convenience)
• Hardware Token (a physical device, most secure)
• Email Token (because I can secure my email with 2FA/MFA)
• Phone call token (better than nothing, but susceptible to SIM-swap attacks, using a VOIP number is better)
• SMS token (better than nothing, but susceptible to SIM-swap attacks)
• Security Questions (better to just not have 2FA/MFA, but always provide random answers I have to document)

I estimate that about 90 percent of my accounts are TOTP Software Token. I just counted and I have 73 websites/apps setup with TOTP.

For TOTP Software Token, you are rarely required to use a specific app. Viable options include LastPass Authenticator, Google Authenticator, Microsoft Authenticator, Authy, Google Smart Lock, or even blockchain-based Civic.