Two factor authentication?

SydneyDev · January 23, 2020, 10:30pm

Could I please ask people how they go about forcing two factor authentication for users?

I have found users tend to sharing logins otherwise.

Looking at Ghost for a project but wonder about this aspect?

Thank you

StuartMorrisAU · January 24, 2020, 1:28pm

It’s not supported at the moment, nor is OAuth that would allow authentication through a third party that does support 2FA. It has been discussed before though.

shodandad · May 6, 2021, 9:26pm

How about now?

HachimanSec · May 10, 2021, 9:15am

Just came across this post as I set up my first Ghost instance.

It is 2021 and MFA via TOTP would be really a great feature. And it is really an accepted and widely available standard these days.

#MFANow

sunknudsen · January 25, 2022, 11:00pm

Stumbled upon Multi-factor authentication before reading this post.

I totally agree with @HachimanSec about TOTP being a great decentralized multi-factor authentication option that Ghost could implement.

Alexg · January 26, 2022, 12:19am

I’d just chuck Cloudflare Zero trust policies in front of it for now using their free teams access offering to get an email OTP to login.

I wrote about doing this, this month - under the section: Protect Ghost Admin Login with Cloudflare Teams

rchase · January 2, 2023, 6:39pm

It’s 2023 please implement TOTP 2FA

javorszky · February 13, 2023, 2:01pm

I would also like to throw my customer-ness behind the request to have 2fa implemented. Is that a ghost(pro) platform limitation, or an open-source Ghost missing functionality?

ie can we, the community implement it and ghostpro will use it, or do y’all need to take charge on it?

sharon_s · February 24, 2023, 9:58am

My blog got hacked and deleted and there is nothing I can do about it.

I will never use ghost pro again. I moved to substack which has 2FA and free.

Itchy · March 26, 2023, 8:32am

They say that anyone is welcome to develop features and add them to the project, so do you want to help implement the open source PrivacyIDEA? Here’s a link to their API. This is a guide for implementing OTP

Alternatively, there is Ory, “Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.”

I’m busy setting up my website at the moment but I’ll be exploring these in the future. If you want to help me find what works and what doesn’t I would appreciate it. I’ll add these links to the MFA request thread to see if anyone else wants to help. It seems like it’s in demand and necessary, as poor @sharon_s found out.

This was first asked for 5 years ago and I can’t find any documentation on the Git about it, so it looks like it’s up to us.

closebracket · July 4, 2023, 9:37pm

Hello,

I’ve signed up specifically to request 2FA/MFA. I had been trying to persuade friends to convert from Wordpress to Ghost but the lack of 2FA/MFA was a huge issue, and I can understand it. Many people process financial and other sensitive data on sites now and are legally held responsible for leaks/breaches. Not being able to protect with 2FA/MFA is a very 15+ year old issue. In some ways, it reminds me of my teen years hanging around coffee shops sniffing passwords because everything was sent unencrypted. This had been a feature request for many years, why hasn’t anyone picked it up?

I note that @Itchy has offered to do some dev towards it, and I’d be willing to help as well (15+ sysadmin/dev experience), but it would be good to see some effort towards enhancing security of the platform from the Ghost team. I really like the suggestion of FIDO2, being able to login with my Solokey would be beautiful.

Cb

Coolcmsc · July 4, 2023, 10:42pm

Just to add, I hope all visitors who think MFA would be good for Ghost have already headed over to the Ideas post on this (already referenced above).

Having said that, if using Ghost Pro, access is needed to the email account that’s linked to the login credentials that are being allegedly “shared”, so those credentials would also have to be shared.

sheldrake · September 27, 2023, 9:12am

Does Ghost still not have multi-factor / two-factor authentication? It’s now about the only resource I care about that just sits entirely behind a password. Not cool.

I wonder why such a highly-standardised and easy-to-implement feature remains undone here.

markstos · September 27, 2023, 2:09pm

There was some progress here. The code base contains a “SSO adapter” for staff logins:

Someone started on adapter which would allow Ghost to use Passport SSO strategies:

In turn, Passport supports logins via Google, SAML, TOTP, etc.

https://www.passportjs.org/packages/

Several of those strategies support a two-factor option as part of SSO.

sheldrake · September 30, 2023, 1:04pm

Thanks @markstos. This looks like waaaay more effort than I can muster for my own website.

I guess I just won’t recommend Ghost to anyone until such a simple feature is available.