cryptee
[Feature] Enable 2FA/MFA for login
In order to protect access to my account I would like to have the ability to enable multi factor authentication options on my account such as totp and webauthn. Is this already on your roadmap ?
Hi there! ππ»
Excellent question!
We've been building this for a while, and it's almost ready!
We're internally testing the authentication / key flow very intensely and rigorously to make sure things will be as safe, and that's what's been taking time. Since 2FA directly relates to authentication, it's one of the rare features we can't push to beta for real-world testing, because adversaries would immediately use the beta-channel to attack users.
So now, we're building intense tests internally to test against all browsers, all OSes, all relevant versions of both, as many devices as we can afford, as many network conditions as we can test, and as many countries & locations we can test from.
In addition to all this, we've been waiting for iOS to release support for WebAuthn & FIDO U2F (i.e. Yubikeys) so that we can add support for FIDO. (And Apple released support for it fairly recently in November 2019, and Yubico on December 10th, 2019) so while we're busy testing things, we're also waiting for everyone to get the latest iOS. Otherwise, if you enable 2FA on your desktop, but your iOS is out-of date, you'll get locked out on your phone forever.
As much as we want to release this right away, we can only move as fast as the slowest OS can (in this case Apple), and we have a responsibility towards tons of users who may or may not have updated their iOS yet.
We can see that many users haven't even updated to iOS 13 yet (Presumably because they're pissed that Apple has been chain fixing iOS-13 bugs since September 2019)
So it's coming soon, we're just testing, waiting & watching a few things to finally release this.
Hoping this makes sense!
I'll keep this thread posted once it's ready for a public beta! βπ»
@johnozbay - Is this intent to only roll support for yubikeys or will TOTP go too ? It seems to me, that TOTP would be a stop-gap to not having any MFA options instead of waiting for everyone to upgrade to iOS 13 (for apple users). I don't know about Android's support of webauthn.
It's going to be FIDO & TOTP. So both Yubikeys and TOTP.
In a nutshell, 2FA requires us to add a step before the server sends the auth token to the client, where the server can check whether or not if the client presented the correct FIDO/TOTP token/pin.
Client side implementation is quite easy actually. It's going to be a pop-up modal specific to the 2FA method. That's it.
The fundamental change here is adding the extra check-step to the server. So let's say right now we're at api/auth/v1, if we have to release TOTP first, that means we'll have to version the backend api and add a new api/auth/v2 endpoint βΒ and if we add FIDO later, we'll have to add another new api/auth/v3 endpoint. Conceptually it's all the same, but since we can't beta test these endpoints publicly, (like I mentioned in the previous comment) it takes more testing time, so a new api version = one more version worth of security testing = more time.
So for us, it makes the most sense to roll these two out simultaneously (once we reach a critical mass of devices that support all 2FA methods) to not have to version the backend API twice.
And to be even more specific, we have some serious nation-state level censorship-circumvention methods built into the service. Long story short, the idea is that if a nation-state/other actor is feeling itchy and wants to take this specific API down, they will need to pull the plug on a very large percentage of the internet at ISP level.
So what we're building is not as simple as a : send user-id & password hash, get token back type thing. There's all sorts of funky routing in place to make sure it's hard to knock down / tamper with. Hence the long testing times.
Hi,
(This is not a complaint or a criticism !) But I see that this post is almost 2 and a half years old. Is the 2FA still an ongoing project?
