Support 2FA for login

Hi!
Are there any plans to support 2FA login through TOTP/U2F? For security reasons I’d really like to see that.

1 Like

Hi Max,

Thank you for the suggestion.
Yeah 2FA would be great.
However, Inkdrop always has to have your encryption key but it is also encrypted with your credentials.
To support 2FA, we have to change this fundamental system so it will take for a while.
I’m currently working on the end-to-end encryption feature.
Once I’ve done the current roadmap, we would discuss about this feature with other users.

1 Like

Memo:

Hi Takuya and thanks for your quick reply.
I looked at your e2e implementation draft: When finished 2fa/u2f should just be an extra authentication layer, shouldn’t it?
As of u2f (hardware based security tokens like yubikey), I’d like to show you this excellent blog post https://medium.com/@guerrerocarlos/yubikey-second-factor-authentication-implementation-in-one-afternoon-or-less-ea0eb2352f40

Lastly I’d like to ask, if you are planning to public your working drafts of the e2e implementation, so that members of the community may help you.

Yeah, sounds like simple.
I will take a look at the blog post!

I’m planning to publish the part of my source code for e2e encryption. I’d be happy to hear your thoughts! Thanks.

2 Likes

Apologies to zombie a thread, but interested in this feature too. I’ve seen 2fa applied in other apps as an “add on” without participating in the note encryption itself (e.g., Standard Notes has it as an Extension that seems to be separate from your password / encryption cred).

Is there any risk at the moment of user db’s being brute-forced to gain access in the absence of 2fa?

I understand your concern.
Let me consider it when finishing the current roadmap.
Because Inkdrop is small, I can easily identify those attacks by seeing an unusual server high load.
Besides, the servers are not enough tough to accept brute-force attacks and those are likely going to be DoS instead before they achieve their purpose.

1 Like

Thank you for taking it into consideration again!

The main driver is when I’m doing development work on behalf of others (e.g., contracts and jobs), and inevitably need to include some customer details. The e2ee is a very strong protection already, 2fa would protect against the “easy” vector (e.g., preventing access to the user dbs via the public client API), leaving only more aggressive client or server-side attacks.

1 Like

My apologies for adding to such an old thread, but I would also be interested in 2FA.

1 Like

Hi Nicole,

Let me finish the current roadmap first. Then, lets’ discuss it for the next roadmap!

2 Likes

Hey Takuya,

Ultimately you would still want to incorporate U2F/2FA for authentication even with e2e by default. Its essentially adding another hurdle for an attacker to jump through. You should also consider (if you havent already) enforcing failed attempt lockout policies, this has benefits for you as the core maintainer of the server stack. Unless you are consistently monitoring security eventing yourself, you should automate client/server security policy as much as possible.

2 Likes

I’d also like to see 2FA

I would also like to use 2FA.

Yes, I want it myself, too.

After being an Inkdrop user for several years, I’ve accumulated an important amount of notes. Some of them contain sensitive information up to a certain degree.

Today I was reviewing my personal security processes and spotted that having that much data stored in Inkdrop without 2FA is becoming a security risk. So I would be very happy if you consider it for the upcoming roadmap.

Another security risk that I spotted is that you cannot revoke Inkdrop sessions. So if I lose my device a malicious actor could still use my active session. And even if I change my Inkdrop password, the open sessions are not revoked. So I have no way to stop the malicious actor from using my Inkdrop session.

A quick solution would be to add a checkbox in the “Change Password” section to allow revoking open sessions after changing the password.

Revoking the client app login sessions is possible to implement.
As I said above that I want it myself, too, so I’m planning to support it.
I understand it’s important.
But let me work on the mobile editor at the moment, which is in the current roadmap.
I’m working so hard on it.

1 Like

FYI: Small update here

1 Like

awesome! :clap:

1 Like

@craftzdog Is there any update on when 2FA might be implemented? It’s been a very long time and I feel that this is a key security requirement especially these days.

I’m currently working on rebuilding the mobile app.