MFA will be the best choice for security concerns. I hope in the future we will have this feature in Ghost.
Why is this still not implemented? Itās been 5 years since it was first suggested. Weāre handling peopleās private personal and payments data.
EDIT: so this comment was apparently close to violating the Code of Conduct. I have been told I should make āsuggestions with sourcesā, so here we go.
Clearly MFA is necessary. I donāt have to explain why. If the Devs didnāt want to implement it 5 years ago because there was no open source implementation available (totally understandable) there are now.
I found PrivacyIDEA, an open source and apparently free MFA project. It supports many forms of authentication, including HOTP / TOTP (One Time Passwords), email tokens, SMS (nobody should use this but itās there), WebAuthn, U2F, Password Tokens, Yubikeys and NitroKeys, and more. When I have got a stable build of my website Iāll be attempting to implement OTPs and Yubikey auth, Iāll let you know how it goes.
Alternatively, there is Ory, which offers the same range of open source auth solutions to build on your site and a hosted service if you donāt want to host it yourself (itās about $30 for 1000 users a month).
@kerryhatcher I know itās been 3 years but do you still want to help? Does anyone else want to try implement some of these and see how they work? Iām not very experienced with Node.js (Python for me!) so my progress will probably be quite slow. If anyone wants to help, I would appreciate it. I think everyone here needs the security and if we can get a workable, open source solution running, the devs can add it to Ghost and keep everyone safe.
Let me know what you think and if you want to help. Cheers.
Is that a real limitation to implementing some MFA thatās mandatory for every project that supposed to be secure on internet?
Are you still thinking on that on 2023? I can live without SSO (because there are devs around there) and I can bought a theme (two really).
But I canāt open to the world my collaborative projects without MFA.
We will be hopeful.
I would really like to secure my newsletter login with 2FA. Many hacks nowadays are stopped by such mechanisms.
I would like to see Passkeys implemented.
Is there any update or official update from Ghost in regards to if 2FA/MFA feature is being worked on?
I know there is already a thread, but wanted to express that MFA should be without question the top priority for new features. No plugins ā MFA built in to the product like any other app. I cannot even think of a single other app I use that doesnāt have MFA. I love Ghost but this really confuses me how this could be left out of development.
Also, it definitely costs Ghost money to not have MFA. I know several businesses that will not use Ghost simply because no MFA. I work in cybersecurity and MFA really isnāt optional in 2023. Businesses running ghost have compliance needs/etc and not having MFA on a production website looks bad + is insecure.
Also, why no option to whitelist IPs that can login? A basic feature like this is literally an if statement comparing against a CIDR list of IP ā guessing max time to implement 48 hoursā¦
Having IP whitelist is a good option that is better than nothing until MFA is added.
In short: the cost to develop is low (low effort/low cost), and money lost from businesses not buying b/c no MFA is likely high.
We need this feature. Anti-bruteforce protection can only go to far and 2FA is designed to be a combination of something you know(which can be prone to phisihing and stuff) and something you have which tends to be less prone to phishing and increases security and is standard is most businesses.
Any updates here? ā¦also voting 2FA up! This is an essential feature thatās missing.
It is honestly really bad to still have no MFA option at all. I know 3 companies (make millions of dollars) that will not use Ghost because no MFA. Basically trying to lose money by not having this.
It would probably take 4-5 hours of work max to implement something basic like Email Only MFA and an option to Whitelist which IP ranges can login to accountā¦ very confusing to me that this isnāt done yet
Just started using Ghost a couple of weeks ago and I am very impressed by it.
The one thing I am curious about is how Multi-Factor authentication is not a feature/required on the /ghost admin page.
I also understand that there is brute force protection, I believe the limit is 5 per hour by IP, but MFA is a critical security feature for any platform to have nowadays.