search

standardnotes / forum

Support from other community members. For 1-on-1 help, please contact help@standardnotes.com.
https://forum.standardnotes.org
196 stars 9 forks source link

hardware security key feature should be for everyone #3681

Closed oppressor1761 closed 1 month ago

oppressor1761 commented 1 month ago

Describe the solution you'd like Currently the hardware security key feature is only available to Professional Subscription. It is a more secure feature than other two factor authentication methods like Authenticator apps. I think security should not be behind the pay wall. Everyone should benefit from tech like hardware security keys and much newer tech like passkeys to enhance their security and privacy.

FID02 commented 1 month ago

I completely understand that Standard Notes wants to include extra features for the highest-tier plan. It makes complete sense in terms of the extra cost of storage and the continued development of other highly wanted features.

But in this case, I do not see a strong argument against releasing the security key feature to all users, even to users of the free plan. Bitwarden did this some time ago, releasing FIDO2 support to free users which was previously only available to users of the paid plans.

Even from a pure marketing perspective, I see this as nothing but a net gain. Take the Bitwarden announcement as an example: headlines such as "Bringing security to all" sends a strong message about the service's focus on security, even to people that are not currently using their service, or do not currently have a security key.

Furthermore, take Ente's announcement about passkey support. They aren't really supporting "passkeys", in the strictly technically sense of passkeys being password-less – Ente still requires a password in addition to FIDO2, assumedly because of their E2EE. As such, their FIDO2 implementation really isn't any different from Standard Notes'. The term "passkeys" is simply becoming familiar to users, and really a better marketing term than "security keys".

Standard Notes can also take advantage of this: more and more password managers, such as Proton Pass, support storing non-passkey FIDO2 keys for multifactor authentication. I have tested this with Standard Notes on Android, and I can use the private key that I saved in Proton Pass as a "hardware key" to authenticate to the Android app, with ease. In other words, users can use phishing-resistant MFA without needing a hardware key.

Standard Notes can benefit from embracing and advertising this to their current and potential future users of the free and lower-tier plan.