Why is this still not implemented? It’s been 5 years since it was first suggested. We’re handling people’s private personal and payments data.
EDIT: so this comment was apparently close to violating the Code of Conduct. I have been told I should make “suggestions with sources”, so here we go.
Clearly MFA is necessary. I don’t have to explain why. If the Devs didn’t want to implement it 5 years ago because there was no open source implementation available (totally understandable) there are now.
I found PrivacyIDEA, an open source and apparently free MFA project. It supports many forms of authentication, including HOTP / TOTP (One Time Passwords), email tokens, SMS (nobody should use this but it’s there), WebAuthn, U2F, Password Tokens, Yubikeys and NitroKeys, and more. When I have got a stable build of my website I’ll be attempting to implement OTPs and Yubikey auth, I’ll let you know how it goes.
Alternatively, there is Ory, which offers the same range of open source auth solutions to build on your site and a hosted service if you don’t want to host it yourself (it’s about $30 for 1000 users a month).
@kerryhatcher I know it’s been 3 years but do you still want to help? Does anyone else want to try implement some of these and see how they work? I’m not very experienced with Node.js (Python for me!) so my progress will probably be quite slow. If anyone wants to help, I would appreciate it. I think everyone here needs the security and if we can get a workable, open source solution running, the devs can add it to Ghost and keep everyone safe.
Let me know what you think and if you want to help. Cheers.