2FA for logins

[ara4n]

When I log in (using a username/password or 3PID/password combo), we should give users the option to also require a two factor authentication (or multi-factor authentication) via other channels. Options are:

• 2FA by email
• 2FA by SMS (MSISDN)
• 2FA by matrix, using another device.

[ara4n]

To do a sensible job of this we should probably have a seperate 3PID verification service, as proposed in matrix-org/synapse#1710.

[Dasoren]

Is there any update on the work for this or anything?
Just wondering, because I would like 2FA for my account v.s just a username/password.

[spacekitteh]

Another crucial option would be via X.509, which would allow a large array of existing authentication methods to be used transparently.

[spacekitteh]

Relevant: matrix-org/olm#5

[lpar]

RFC6238. Then people can use Google Authenticator, Authy, LastPass Authenticator, or pretty much any other standard 2FA app.

[vsund]

I'd really like to see Fido U2F like it's implemented by Yubico etc.

[lrvick]

I strongly second U2F. It is well tested, standard, built to withstand phishing attacks, and never exposes any secrets to system memory.

[RyanSquared]

Correct me if I'm wrong but wouldn't this require it to be implemented in a Matrix implementation rather than Riot? Matrix would have to support U2F, with Riot just passing on the authentication request.

[lrvick]

@RyanSquared It would need to be implemented in a both the UI and the authentication server IIRC.

[RyanSquared]

So if it needs to be implemented on a backend server as well, is there a relevant issue for U2F or other 2FA methods on a backend server (or for the protocol)?

[singlerider]

+1 for U2F

[ara4n]

this is starting to get more urgent with the advent of cryptocommunities and other security-focused communities embracing Matrix. need to check out U2F and how it compares to TOTP and friends.

[pafcu]

FYI, Firefox does not support U2F out of the box currently, but it was added to nightly last week, so should hopefully land at some point in the not too distant future.

[RyanSquared]

I'd say it's not "last week", based on this article: https://www.yubico.com/2017/09/firefox-nightly-enables-support-fido-u2f-security-keys/

[vsund]

Before Firefox 57 you can use an addon for Firefox to use U2F. I currently use U2F without any addons in Firefox 57 Beta. According to their release schedules, they release Firefox 57 on 2017-10-14 (https://wiki.mozilla.org/RapidRelease/Calendar). I had to enable it manually though.

[ara4n]

In case anyone is wondering why this hasn’t happened yet: we’ve found that most people who want 2FA are also using SSO, and so can use the SSO provider (keycloak etc) for this.

However, we still want to get it natively into Matrix, but it’s in the middle of the feature backlog.

[JonathanWilbur]

I'd like to point out that I have an outstanding feature request that I reported for TLS / X.509 client certificate authentication. If implemented, it would require no change at all to Synapse, Dendrite, or the Matrix protocol, and would still provide an additional factor of very robust, well-understood authentication.

[networkException]

I believe a TLS certificate would not be what a regular user expects from a platform offering MFA. By looking at the comments in this issue it is clear that TOTP, U2F and FIDO2 / WebAuthn are prefered methods.

[DC7IA]

• 2FA by email

• 2FA by SMS (MSISDN)

SMS is not 2FA, everyone with an SS7 account can listen to the messages.

Email is unencrypted.

What about TOTP?

Let's just stick to well-established standards.

https://tools.ietf.org/html/rfc6238

Standards ftw!

[mjeveritt]

Let's just stick to well-established standards.

https://tools.ietf.org/html/rfc6238

Standards ftw!

Obligatory response: https://xkcd.com/927/

[CoolGaM3r215]

TOTP would be nice if added

[thalesfsp]

Since 2016.. and counting

[SergeyDjam]

2FA by matrix, using another device.

TOTP? FreeOTP, Aegis, Google Authenticator, hardware OTP?

[RyanSquared]

2FA by matrix, using another device.

TOTP? FreeOTP, Aegis, Google Authenticator, hardware OTP?

I believe the intent was to use the second device, already signed into Matrix, as a 2FA method.

[Mikaela]

I think Element has given up on this and moved the issue to https://areweoidcyet.com/

2FA/MFA currently depends on login system of your homeserver

[erebion]

"2FA by matrix, using another device." - This is definitely needed, especially by a "Verified" alternate device (text, emoji, etc).

Steal a device or get access for half a minute, add a device... This does not seem to be a good idea. I'd go with WebAuthn instead.

Or alternatively a way to disable this and require entering the password to enable this again.

[erebion]

Also, WebAuthn. The standard many sites now adopt. Much better than TOTP, but for the users that don't have a WebAuthn device, TOTP is still better than no 2FA at all.

[ptman]

OIDC seems to be the way forward (for synapse, dendrite just dropped PR for OIDC). So make sure you pick an auth provider that supports 2FA. https://areweoidcyet.com/ . WebAuthn is supported by a very wide range of devices since google/apple/microsoft passkeys are built on top of webauthn.

[AydroPunk]

Is there any update on this type of FIDO2/WebAuthn authentication?

[nkvname]

Still no 2FA support and it's been almost 8 years since this was requested for the first time. What a joke.

[esackbauer]

Use a proper SSO solution like Keycloak, Authentik or Duo, and you have 2FA.
I am using Authentik. Great product.

[nkvname]

You are forgetting all public Matrix servers. SSO is the only viable solution if you are using Matrix internally only.

[t3chguy]

SSO is the only viable solution if you are using Matrix internally only.

How so? matrix.org has SSO support connected to Github, Google, Gitlab, Facebook, Apple, all of which you can enable 2FA on. Any server can connect to OIDC providers like those, or run their own e.g. Authelia/Authentik for free which will allow them more login options.

[nkvname]

You are proposing that everyone should have big tech account to have access to the basic feature such as 2FA? This community is cooked.

[esackbauer]

You are proposing that everyone should have big tech account to have access to the basic feature such as 2FA? This community is cooked.

No its not cooked, you cannot read comprehensive. You can use SSO like Authelia, keycloak etc. also for public servers. It actually has benefits like better control over your users.