penpot
penpot copied to clipboard
penpot
Add two-factor authentication (2FA) with TOTP / HOTP
Is your feature request related to a problem? Please describe. Designs and prototypes are in many cases sensible data which should be protected. A two-factor authentication would protect them better than only an email and password based authentication.
Describe the solution you'd like The "password" page could be renamed to "security" or "authentication" and include additionally to the password an 2FA component.
Most programming languages have libraries for implementing OTP (One Time Password) with TOTP / HOTP. E.g. TypeScript has https://github.com/yeojz/otplib
The user could use any 2FA Auth app like Google Authenticator or Authy and scan the QR code from the page.
Describe alternatives you've considered 2FA with TOTP / HOTP is the industry standard and alternatives like SMS or Email based Auth aren't as secure and sending them would also cost more.
Additional context I'd love to help, but I've never worked with Clojure / ClojureScript...
Hello @CMiksche
As far as I understand, on the technical side, we need to generate a random, shared key for users that want use 2FA and allow retrieve it by the user on the profile section for setting up the 2FA authenticator application (goolge Authenticator, FreeOTP, etc...), then if user has activated the 2FA, redirect user to type the corresponding token that user can retrieve from the 2FA app on mobile. I'm right?
From general perspective, this is already on our roadmap, but we didn't priorized it. We will discuss it internally and priorize it accordingly. I have created this internal Taiga US.
Thanks.
As far as I understand, on the technical side, we need to generate a random, shared key for users that want use 2FA and allow retrieve it by the user on the profile section for setting up the 2FA authenticator application (goolge Authenticator, FreeOTP, etc...), then if user has activated the 2FA, redirect user to type the corresponding token that user can retrieve from the 2FA app on mobile. I'm right?
Yeah - I think you're right. (I never implemented 2FA on my own but plan to do it in the future)
Supporting webauthm standard (security keys) as well would also be quite nice if you have available resources. But I believe TOTP to be in higher demand.
Thank you for your effort! :)
A friend asked me about alternatives to Figma today and I discussed Penpot. They then asked is it secure?.. and I was stuck saying "sort of" as there is no MFA protection.
Please implement MFA TOTP (Figma has it)
I couldnt find one in closure but here's a reference implementation in ruby that's pretty readable/logical. https://github.com/mdp/rotp
Sidenote on Passkeys/webauthn:
Consensus in 2024 is that passkeys/webauthm is a shattered dream. Related Front Page discussion on HN.
"The biggest issue with passkeys is that I just can't trust the companies offering them" -- Top comment on HN
Want to engage more on Passkeys/Webauthn, probably better to make a new issue and reference this issue.
I just signed up for a demo and really liked using it as of 2.0 but was gutted that it doesn't have 2FA.
We're in the middle of a global cyberwar and everything needs to be locked down. Anyone who doesn't have advanced authentication can't expect that their files on any online service are safe unless we're using advanced authentication methods.
Email based 2FA would be a pretty big improvement over nothing. Back to swapping pointpoint files i guess.
