Support 2FA for login

Yeah, sounds like simple.
I will take a look at the blog post!

I’m planning to publish the part of my source code for e2e encryption. I’d be happy to hear your thoughts! Thanks.

2 Likes

Apologies to zombie a thread, but interested in this feature too. I’ve seen 2fa applied in other apps as an “add on” without participating in the note encryption itself (e.g., Standard Notes has it as an Extension that seems to be separate from your password / encryption cred).

Is there any risk at the moment of user db’s being brute-forced to gain access in the absence of 2fa?

I understand your concern.
Let me consider it when finishing the current roadmap.
Because Inkdrop is small, I can easily identify those attacks by seeing an unusual server high load.
Besides, the servers are not enough tough to accept brute-force attacks and those are likely going to be DoS instead before they achieve their purpose.

1 Like

Thank you for taking it into consideration again!

The main driver is when I’m doing development work on behalf of others (e.g., contracts and jobs), and inevitably need to include some customer details. The e2ee is a very strong protection already, 2fa would protect against the “easy” vector (e.g., preventing access to the user dbs via the public client API), leaving only more aggressive client or server-side attacks.

1 Like

My apologies for adding to such an old thread, but I would also be interested in 2FA.

1 Like

Hi Nicole,

Let me finish the current roadmap first. Then, lets’ discuss it for the next roadmap!

2 Likes

Hey Takuya,

Ultimately you would still want to incorporate U2F/2FA for authentication even with e2e by default. Its essentially adding another hurdle for an attacker to jump through. You should also consider (if you havent already) enforcing failed attempt lockout policies, this has benefits for you as the core maintainer of the server stack. Unless you are consistently monitoring security eventing yourself, you should automate client/server security policy as much as possible.

2 Likes

I’d also like to see 2FA

I would also like to use 2FA.

Yes, I want it myself, too.

After being an Inkdrop user for several years, I’ve accumulated an important amount of notes. Some of them contain sensitive information up to a certain degree.

Today I was reviewing my personal security processes and spotted that having that much data stored in Inkdrop without 2FA is becoming a security risk. So I would be very happy if you consider it for the upcoming roadmap.

Another security risk that I spotted is that you cannot revoke Inkdrop sessions. So if I lose my device a malicious actor could still use my active session. And even if I change my Inkdrop password, the open sessions are not revoked. So I have no way to stop the malicious actor from using my Inkdrop session.

A quick solution would be to add a checkbox in the “Change Password” section to allow revoking open sessions after changing the password.

Revoking the client app login sessions is possible to implement.
As I said above that I want it myself, too, so I’m planning to support it.
I understand it’s important.
But let me work on the mobile editor at the moment, which is in the current roadmap.
I’m working so hard on it.

1 Like

FYI: Small update here

1 Like

awesome! :clap:

1 Like

@craftzdog Is there any update on when 2FA might be implemented? It’s been a very long time and I feel that this is a key security requirement especially these days.

I’m currently working on rebuilding the mobile app.

Hi @craftzdog – I wanted to check if you had an update on this. 2FA is a very important security feature that I hope gets implemented one day. Thanks!

@anon80862206 Not yet. I’m still busy building the new mobile version. Thank you for bringing this up again.

Since it was mentioned in the last YouTube video, wanted to add my two cents to what was mentioned. I’m not a NodeJS developer, so not sure about the integration aspect, but believe the use of the token with the app would be best as I can just integrate it into 1Password for logins, not having to wait to receive an email.
Not sure how difficult it would be to provide both options for the user to choose, kind of in the way that services like Google and most social media sites allow for either option or having multiple options enabled.

@Nicole_Daniella After looking into the source code of the TOTP libraries, I understood that validating one-time code is performed on the server side. So, it should be as easy as email verification.