Feature Request: Two Factor Auth

[viertaxa]

I'm currently testing out Wire. One thing that immediately stood out to me is the lack of two factor auth across the whole platform. To me, this is a critical feature of a security minded service of any kind.

Off the top of my head, the following things would be a great start if they were able to be enabled independently of each other:

• Allow for TOTP (Authy, Google Authenticator, similar)
• Allow for One Time Pad (OTP) as a backup
• Allow for U2F/FIDO (Yubikey, etc)
  • For adding mobile devices: touch U2F token on PC with Chrome also signed into account?
• Allow for authenticated devices to authorize new device

[raphaelrobert]

Thanks for the feedback! 2FA is planned for the future, we are already exploring some of these ideas.

[cardassian-tailor]

I would like to suggest that you look into allowing wire itself to be used as a 2fa method for other services.

So, for example, a user could authenticate with Twitter by having the code sent to their wire account.

[trymeouteh]

Please add Email 2FA.

[AvoidMastodonBlue]

Please enable xmpp 2fa

[cardassian-tailor]

U2f support would be awesome

[dinosmm]

Is two-factor authentication still being looked at? It's the only thing missing from Wire to bring it above the competition. Authenticator app support, perhaps backed-up by SMS and/or email or fixed codes would be awesome. Any news on the timeline for this?

[blark]

I'm not quite sure how you can claim to be "The most secure collaboration platform" with no 2fa/mfa.

[0Ky]

@marcoconti83 @raphaelrobert

Waiting for U2F support just like others. Here's a talk by Yuriy Ackermann, you guys might find this interesting:

• Universal Second Factor authentication or why 2FA today is wubalubadubdub
• PDF to slides

[muscovitebob]

Greetings all,

I understand that one of the reasons Wire has so far not implemented traditional MFA is the difficulty in providing compatibility with the web-based, always accessible model of the messenger. I wanted to highlight something a messaging platform with similar constraints has done instead, which I think could be very well adapted to Wire:

https://keybase.io/docs/lockdown/index

[cardassian-tailor]

I love the idea of lockdown but I think there is a very obvious solution to 2fa that should be very easy to implement on the web version. U2f hardware tokens.

[cardassian-tailor]

https://developers.yubico.com/U2F/Libraries/Using_a_library.html

Links here for libraries and code examples for implementation that would get someone started.

[cardassian-tailor]

Looks like electron implementation will be more of a problem. https://github.com/electron/electron/issues/3226

I’d be happy to lose the ability to use the electron app if I gained u2f/ fido2

[cardassian-tailor]

just to follow up - looks like electron has fixed this issue though the commenters seem unsure of how it will persist in the future.

With this now working on electron - I would personally consider this the most important feature missing ... how the application has gone this long without 2fa is difficult to fathom.

@raphaelrobert any updates on this front? Please, please share with us some details.

if there are underlying caveats .. I would love a blog post explaining some of those, possible solutions, etc.

[raphaelrobert]

Wire Pro accounts can now have 2FA through single sign-on (SSO), Wire Personal accounts are unchanged for now.

[cardassian-tailor]

I'm hoping a paid personal account is considered in the future.

[Ralms]

This is literally the feature stopping me from trusting/using Wire. The fact that you can use just an email and password to access the service, makes the rest of the security features pointless.

[phenomax]

Are there any updates? @marcoconti83 @wireswiss

[DrWhax]

This is stopping me currently from recommending Wire to a bunch of organisations.

[marcoconti83]

Hi everyone, This is still on our roadmap but it likely won't be done during Q2 2019 either. Currently, pro customers are fulfilling this requirement with SSO, but we still plan to provide 2FA to a wider audience when our roadmap allows.

[x30n]

Hi @marcoconti83, we're trialing Wire Pro, but don't see any option to set up SSO (I assume SAML?) to test with MFA. How is this done?

[marcoconti83]

Hi @x30n , we currently support SSO for Pro users through our support channel, indeed using SAML. You can get in touch with support (support@wire.com) and they will start the procedure to enable it for your team. In the long run, we are building an admin interface for SSO to set it up on your own, but we are not there yet.

[cardassian-tailor]

is there any viability to incorporate the newly supported by w3c Webauthn ? I assume a lot of the work on Wire's side for SAML is already completed so changing gears to webauthn might be out of the question. Is there any benefit of SAML over webauthn ?

https://www.yubico.com/webauthn/ https://webauthn.org/

[x30n]

Thanks for the follow up @marcoconti83. I did get in-touch with support, but unfortunately they said SSO is currently only available for "Enterprises" (>500 users), not just paid Pro accounts... Glad to hear it's coming to a wider audience at some point - so that security conscious orgs can use MFA (FWIW - Phishing is probably a higher priority in most threat models than the malicious or compromised server threats that e2e addresses).

Tangentially - IMHO it's really bad practice to restrict access to security features to premium tiers, for any product, but especially one that is attempting to distinguish itself from the competition with security*. </$0.02>

*Understood that this may not be happening here - I suspect MFA was an overlooked feature in your initial design and SSO, which mostly only makes sense for organizations, is a hack to enable it without rearchitecting. Still, it can leave a bad taste if it appears that security features are being held hostage, even if not true. 🙂

[orangesunny]

Hi everyone, This is still on our roadmap but it likely won't be done during Q2 2019 either. Currently, pro customers are fulfilling this requirement with SSO, but we still plan to provide 2FA to a wider audience when our roadmap allows.

Sounds great. Do you have any news about ETA, please?

[arnoldoree]

Hi @x30n , we currently support SSO for Pro users through our support channel, indeed using SAML. You can get in touch with support (support@wire.com) and they will start the procedure to enable it for your team. In the long run, we are building an admin interface for SSO to set it up on your own, but we are not there yet.

I'm glad to learn that this is the Wire position. Not having 2FA/MFA available as the most basic premise of the Wire Platform has really caused a great number of gremlins to run around in my mind with regard to the integrity of the system.

Given the nature of cloud systems, and the natural progression of a platform positioned as Wire towards enterprise infrastructure / universal application systems integration, it is critical that this is addressed as you are doing, and that the feature provisioning messaging to developers, engineers, enterprise architects, and other interested parties is loud and clear.

[v3EtBhYE]

@raphaelrobert Is Mfa coming any time soon? It is really crucial to online security of all users

[Ralms]

@v3EtBhYE if in 2 years Wire team didn't add this feature, they have proven to have little regards when it comes to security. This is the deal breaker that resulted on me not trusting Wire one bit.

[KaKi87]

Hello, Any news on this ? Thanks.

[joshbuker]

3 years, still no 2FA, let alone U2F / WebAuthn support?

Claims to be "the most secure collaboration platform" don't hold much water when even non-security-focused chat applications commonly have 2FA support. See Slack and Discord for example.

This feels very reminiscent of certain VPN companies making wild claims and using scare tactics for marketing. Until 2FA is supported, being marketed as the most secure communications platform feels disingenuous. Less technical users won't know any better, and may incorrectly assume that their accounts are more secure than they really are.

[KaKi87]

Hello, I personally stopped using Wire because of this and some other issues never answered. I recommend you to do the same.

[lucagoetheil]

Any updates?

[joshbuker]

@lucagoetheil Lol, no updates other than the Wire team trying to hide criticism by marking it off-topic it seems. (presumably this will also be marked off-topic or removed without comment from @wireswiss)

[gerardforcada]

Any updates on this?

[KaKi87]

Migrate to Signal 😉

[Ralms]

Migrate to Signal 😉

I was thinking the same lool Wire team has proven at this point they have no concerns with privacy or security.

[KaKi87]

Exactly.

[orangesunny]

Migrate to Signal 😉

No matter the feature, privacy, or encryption comparison, I wouldn‘t see this as the reason for migration, or even a solution. Calling Signal’s Registration lock a shining example of 2FA is definitely not a case.

Yes, Wire should add 2FA.

[Ralms]

Migrate to Signal 😉

No matter the feature, privacy, or encryption comparison, I wouldn‘t see this as the reason for migration, or even a solution. Calling Signal’s Registration lock a shining example of 2FA is definitely not a case.

Yes, Wire should add 2FA.

When a extremely important feature is ignored by the Wire team since 2017, it shows how serious they take security. 2017 as in over 3 years ago...

Signal doesn't even have MFA because it doesn't need it by design, uses your phone number and a pin you define. But Wire forces you to use email and password, while providing 0 mechanisms to protect your account. I wouldn't trust a company like this with my chats and private information that is for sure.

[orangesunny]

@Ralms I didn’t say you should use or praise Wire. I said:

Yes, Wire should add 2FA.

I also think that using a phone number as part of the authentication is not a good reason to use any platform. SMS is not a secure channel at all.

Enthuse other users to use a different solution in the repo of Wire (or any other software) is not a clever, nor gentle thing to do.

[joshbuker]

Comparing Signal and Wire is not a fair comparison imo, they serve different but related purposes. Wire and Slack are more aligned on intended usage and functionality, and that's where security shortcomings are readily apparent.

That said, it's still a huge faux pas not having 2FA after 3 years of being alerted to it, and for a high value target like a communications app, serious false advertising calling it "the most secure".

[Ralms]

Comparing Signal and Wire is not a fair comparison imo, they serve different but related purposes. Signal and Slack are more aligned on intended usage and functionality, and that's where security shortcomings are readily apparent.

That said, it's still a huge faux pas not having 2FA after 3 years of being alerted to it, and for a high value target like a communications app, serious false advertising calling it "the most secure".

You might be confusing Telegram with Signal.

Signal and Slack have 0 in common.

[joshbuker]

Comparing Signal and Wire is not a fair comparison imo, they serve different but related purposes. Signal and Slack are more aligned on intended usage and functionality, and that's where security shortcomings are readily apparent. That said, it's still a huge faux pas not having 2FA after 3 years of being alerted to it, and for a high value target like a communications app, serious false advertising calling it "the most secure".

You might be confusing Telegram with Signal.

Signal and Slack have 0 in common.

Ah, brain fart. I meant to type Wire and Slack, not Signal and slack. I've fixed it now.

[ZelphirKaltstahl]

Migrate to Signal 😉

No matter the feature, privacy, or encryption comparison, I wouldn‘t see this as the reason for migration, or even a solution. Calling Signal’s Registration lock a shining example of 2FA is definitely not a case. Yes, Wire should add 2FA.

When a extremely important feature is ignored by the Wire team since 2017, it shows how serious they take security. 2017 as in over 3 years ago...

Signal doesn't even have MFA because it doesn't need it by design, uses your phone number and a pin you define. But Wire forces you to use email and password, while providing 0 mechanisms to protect your account. I wouldn't trust a company like this with my chats and private information that is for sure.

Well, on the other hand, I don't want to connect my phone number with my Wire account, so I actually like the fact, that it does not require my phone number to work, including not forcing 2FA via phone.

So how do we envision 2FA exactly, without phone number? That is an interesting question. Would you say a second e-mail account is sufficient?

[joshbuker]

@ZelphirKaltstahl SMS based 2FA is considered insecure, and authy apps are the current defacto standard, iirc. Authy apps do not require a phone, let alone a phone number.

[KaKi87]

Honestly, I didn't recommended Signal because of SMS 2FA or whatever, but because devs care more about security than Wire does. And, see, Wire devs are so inactive that they're not coming here in time to stop us from advertising Signal here.

[radiosilence]

It's been nearly four years and still no 2FA?

[KaKi87]

Honestly just switch to Signal.

[orangesunny]

Honestly just switch to Signal.

Again, @KaKi87, how does this relate to Wire development? Use your Signal, stop being repetitive here, and may become happy :)

[KaKi87]

I wouldn't be saying that if Wire devs were listening to our requests.

[orangesunny]

It is said that they don’t reply, yes. But promoting other software is not helping anyhow; it is not a solution, nor a request. It’s only spamming many people with notifications about off-topic.