Multi-factor authentication

mahler · January 2, 2019, 5:35am

Just adding a couple text strings to this topic to make it easier to find:

Two-Factor Authentication
2FA

someguy · February 15, 2019, 4:37am

commenting here as i started another similiar thread

I would love to see 2fa/mfa built into the self hosted solution … but what about incorporating this into the pro, ghost hosted options for paying subscribers? That seems like an easier place to start.

someguy · March 5, 2019, 8:13pm

any way to configure this for pro users?

someguy · March 5, 2019, 8:20pm

i’m curious if the recent discussions around Webauthn have brought new interests to this discussion.

I’d also like to hear from Ghost staff if implementing 2fa for pro users would be a much less daunting task to achieve. My assumption is that it would be.

This may also be of interest: GitHub - Yubico/java-webauthn-server: Server-side Web Authentication library for Java https://www.w3.org/TR/webauthn/#rp-operations

People reading this thread: if you are interested in 2fa on Ghost, whether for self-hosting or pro users … dont forget to vote at the top of the page.

vikaspotluri123 · March 6, 2019, 5:50am

I can’t answer any questions related to Pro because I don’t work for Ghost! Your best bet is to email them via support@ghost.org

gh0-0st · March 10, 2019, 6:18am

Already voted because yes, the implementation of MFA in the authentication process would be a significant benefit for security, and I hope one day it will.

Kevin · March 11, 2019, 9:55am

It’s exactly the same, Ghost(Pro) doesn’t have any customisations of Ghost. If 2fa is implemented it would need to be in Ghost core and work for self-hosters.

se3000 · June 14, 2019, 10:30pm

Any update here?

someguy · January 4, 2020, 3:34pm

Id be happy with just a 2fa via u2f on ghost pro accounts for a short term solution

leon123 · March 4, 2020, 7:25pm

ditto!

kerryhatcher · May 15, 2020, 5:57pm

I"d be happy to help code some of this. Obviously its a big chunk of work and I don’t want a big PR to get denied per the GitHub guidance:

We generally don’t merge new features and larger changes without prior discussion with the core product team for tech/design specification.

github.com

TryGhost/Ghost/blob/main/.github/CONTRIBUTING.md#submitting-pull-requests

# Contributing to Ghost

For **help**, **support**, **questions** and **ideas** please use **[our forum](https://forum.ghost.org)**  🚑.

---

## Where to Start

If you're a developer looking to contribute, but you're not sure where to begin: Check out the [good first issue](https://github.com/TryGhost/Ghost/labels/good%20first%20issue) label on Github, which contains small piece of work that have been specifically flagged as being friendly to new contributors.

After that, if you're looking for something a little more challenging to sink your teeth into, there's a broader [help wanted](https://github.com/TryGhost/Ghost/labels/help%20wanted) label encompassing issues which need some love.

If you've got an idea for a new feature, please start by suggesting it in the [forum](https://forum.ghost.org), as adding new features to Ghost first requires generating consensus around a design and spec.


## Working on Ghost Core

If you're going to work on Ghost core you'll need to go through a slightly more involved install and setup process than the usual Ghost CLI version.

First you'll need to fork [Ghost](https://github.com/tryghost/ghost) to your personal Github account, and then follow the detailed [install from source](https://ghost.org/docs/install/source/) setup guide.

This file has been truncated. show original

Would this be the right place to discus this? @John @Kevin

Thanks!

suraj · April 3, 2022, 3:33pm

Was really surprised to see no support for MFA on Ghost(Pro). It’s 2022 and this is such an important security feature. I have MFA turned on on all of the services that support my site (DNS, analytics, blog commenting, etc.). The only account that does not require a sector factor is Ghost itself!!

M.J.Wolfe · May 1, 2022, 4:38pm

Hi,

Can we please get 2FA for staff accounts implemented via an authentication app such as the one built into Apple device password store or an app like Authy? The passwordless system for members to log in is excellent, but the email/password combination for staff members is highly outdated and lacks modern security features.

We desperately need 2FA capability for staff accounts.

Thanks

Mel

Paul2 · May 10, 2022, 7:38am

2FA should really be mandatory for all staff accounts.

ted_roger · February 7, 2023, 9:38am

MFA will be the best choice for security concerns. I hope in the future we will have this feature in Ghost.

Itchy · March 25, 2023, 12:18pm

Why is this still not implemented? It’s been 5 years since it was first suggested. We’re handling people’s private personal and payments data.

EDIT: so this comment was apparently close to violating the Code of Conduct. I have been told I should make “suggestions with sources”, so here we go.

Clearly MFA is necessary. I don’t have to explain why. If the Devs didn’t want to implement it 5 years ago because there was no open source implementation available (totally understandable) there are now.

I found PrivacyIDEA, an open source and apparently free MFA project. It supports many forms of authentication, including HOTP / TOTP (One Time Passwords), email tokens, SMS (nobody should use this but it’s there), WebAuthn, U2F, Password Tokens, Yubikeys and NitroKeys, and more. When I have got a stable build of my website I’ll be attempting to implement OTPs and Yubikey auth, I’ll let you know how it goes.

Alternatively, there is Ory, which offers the same range of open source auth solutions to build on your site and a hosted service if you don’t want to host it yourself (it’s about $30 for 1000 users a month).

@kerryhatcher I know it’s been 3 years but do you still want to help? Does anyone else want to try implement some of these and see how they work? I’m not very experienced with Node.js (Python for me!) so my progress will probably be quite slow. If anyone wants to help, I would appreciate it. I think everyone here needs the security and if we can get a workable, open source solution running, the devs can add it to Ghost and keep everyone safe.

Let me know what you think and if you want to help. Cheers.

matenauta · March 28, 2023, 2:33am

Is that a real limitation to implementing some MFA that’s mandatory for every project that supposed to be secure on internet?

Are you still thinking on that on 2023? I can live without SSO (because there are devs around there) and I can bought a theme (two really).

But I can’t open to the world my collaborative projects without MFA.

pureflo · June 24, 2023, 8:12am

We will be hopeful.

agam · August 15, 2023, 11:09am

I would really like to secure my newsletter login with 2FA. Many hacks nowadays are stopped by such mechanisms.

stuartbreckenridge · September 21, 2023, 10:36pm

I would like to see Passkeys implemented.