Multi-factor authentication

Would be awesome to have some form of multi-factor authentication in front of the /ghost admin login. Lack of MFA + rate limiting makes it highly susceptible to brute force. Anyone know of any workarounds?

Ghost has configurable brute-force prevention already!

3 Likes

Has had login rate limiting from day one. MFA is a valid request though. The main concern is figuring out how to do it decentralised rather than centralised, which tends to be a little harder / less user friendly.

Def possible though

2 Likes

Touchè :) I made a bad assumption…

:+1:

Thanks for a great platform.

Is something like libpam-google-authenticator feasible for this?

3 Likes

Any update here? I would love this feature!

Just adding a couple text strings to this topic to make it easier to find:

  1. Two-Factor Authentication
  2. 2FA
3 Likes

commenting here as i started another similiar thread

I would love to see 2fa/mfa built into the self hosted solution … but what about incorporating this into the pro, ghost hosted options for paying subscribers? That seems like an easier place to start.

1 Like

any way to configure this for pro users?

1 Like

i’m curious if the recent discussions around Webauthn have brought new interests to this discussion.

I’d also like to hear from Ghost staff if implementing 2fa for pro users would be a much less daunting task to achieve. My assumption is that it would be.

This may also be of interest: GitHub - Yubico/java-webauthn-server: Server-side Web Authentication library for Java https://www.w3.org/TR/webauthn/#rp-operations

People reading this thread: if you are interested in 2fa on Ghost, whether for self-hosting or pro users … dont forget to vote at the top of the page.

I can’t answer any questions related to Pro because I don’t work for Ghost! Your best bet is to email them via support@ghost.org

Already voted :wink: because yes, the implementation of MFA in the authentication process would be a significant benefit for security, and I hope one day it will.

It’s exactly the same, Ghost(Pro) doesn’t have any customisations of Ghost. If 2fa is implemented it would need to be in Ghost core and work for self-hosters.

1 Like

Any update here?

Id be happy with just a 2fa via u2f on ghost pro accounts for a short term solution

ditto!

I"d be happy to help code some of this. Obviously its a big chunk of work and I don’t want a big PR to get denied per the GitHub guidance:

We generally don’t merge new features and larger changes without prior discussion with the core product team for tech/design specification.

Would this be the right place to discus this? @John @Kevin

Thanks!

Was really surprised to see no support for MFA on Ghost(Pro). It’s 2022 and this is such an important security feature. I have MFA turned on on all of the services that support my site (DNS, analytics, blog commenting, etc.). The only account that does not require a sector factor is Ghost itself!!

2 Likes

Hi,

Can we please get 2FA for staff accounts implemented via an authentication app such as the one built into Apple device password store or an app like Authy? The passwordless system for members to log in is excellent, but the email/password combination for staff members is highly outdated and lacks modern security features.

We desperately need 2FA capability for staff accounts.

Thanks

Mel

4 Likes

2FA should really be mandatory for all staff accounts.

4 Likes