We've just introduced two simple security enhancements for staff user logins on Ghost: Device verification, and email-based two-factor authentication (2FA).
Now, when any staff user signs in to Ghost from a new/unrecognized device for the first time, they'll be required to enter a 6-digit 2FA code sent to their registered email address. This extra layer of protection is automatically enabled on all Ghost sites.
Optionally, site administrators can now also configure Ghost to send email 2FA codes as part of every staff user login, regardless of device.
This new option can be found under Settings → Staff users → Security.
Advanced security options
As always: Users with sophisticated security requirements can configure network-based authentication for the entire /ghost route, covering both the admin panel and API, using a system such as CloudFlare Access in combination with third-party SSO providers or enterprise IDP integrations.
More information about Ghost's security practices is available in our detailed developer documentation:
Ghost - The Professional Publishing Platform
Ghost(Pro) users can log in and start enjoying all of this right away! If you're a developer, self-hosting Ghost, you'll need to update to the latest version to get access to everything that's new.