Two factor authentication?

Could I please ask people how they go about forcing two factor authentication for users?

I have found users tend to sharing logins otherwise.

Looking at Ghost for a project but wonder about this aspect?

Thank you

1 Like

It’s not supported at the moment, nor is OAuth that would allow authentication through a third party that does support 2FA. It has been discussed before though.

1 Like

How about now?

3 Likes

Just came across this post as I set up my first Ghost instance.

It is 2021 and MFA via TOTP would be really a great feature. And it is really an accepted and widely available standard these days.

#MFANow

2 Likes

Stumbled upon Multi-factor authentication before reading this post.

I totally agree with @HachimanSec about TOTP being a great decentralized multi-factor authentication option that Ghost could implement.

2 Likes

I’d just chuck Cloudflare Zero trust policies in front of it for now using their free teams access offering to get an email OTP to login.

I wrote about doing this, this month - under the section: Protect Ghost Admin Login with Cloudflare Teams

1 Like

It’s 2023 please implement TOTP 2FA

5 Likes

I would also like to throw my customer-ness behind the request to have 2fa implemented. Is that a ghost(pro) platform limitation, or an open-source Ghost missing functionality?

ie can we, the community implement it and ghostpro will use it, or do y’all need to take charge on it?

1 Like

My blog got hacked and deleted and there is nothing I can do about it.

I will never use ghost pro again. I moved to substack which has 2FA and free.

2 Likes

They say that anyone is welcome to develop features and add them to the project, so do you want to help implement the open source PrivacyIDEA? Here’s a link to their API. This is a guide for implementing OTP

Alternatively, there is Ory, “Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.”

I’m busy setting up my website at the moment but I’ll be exploring these in the future. If you want to help me find what works and what doesn’t I would appreciate it. I’ll add these links to the MFA request thread to see if anyone else wants to help. It seems like it’s in demand and necessary, as poor @sharon_s found out.

This was first asked for 5 years ago and I can’t find any documentation on the Git about it, so it looks like it’s up to us.

1 Like

Hello,

I’ve signed up specifically to request 2FA/MFA. I had been trying to persuade friends to convert from Wordpress to Ghost but the lack of 2FA/MFA was a huge issue, and I can understand it. Many people process financial and other sensitive data on sites now and are legally held responsible for leaks/breaches. Not being able to protect with 2FA/MFA is a very 15+ year old issue. In some ways, it reminds me of my teen years hanging around coffee shops sniffing passwords because everything was sent unencrypted. This had been a feature request for many years, why hasn’t anyone picked it up?

I note that @Itchy has offered to do some dev towards it, and I’d be willing to help as well (15+ sysadmin/dev experience), but it would be good to see some effort towards enhancing security of the platform from the Ghost team. I really like the suggestion of FIDO2, being able to login with my Solokey would be beautiful.

Cb

1 Like

Just to add, I hope all visitors who think MFA would be good for Ghost have already headed over to the Ideas post on this (already referenced above).

Having said that, if using Ghost Pro, access is needed to the email account that’s linked to the login credentials that are being allegedly “shared”, so those credentials would also have to be shared.

Does Ghost still not have multi-factor / two-factor authentication? It’s now about the only resource I care about that just sits entirely behind a password. Not cool.

I wonder why such a highly-standardised and easy-to-implement feature remains undone here. :thinking:

There was some progress here. The code base contains a “SSO adapter” for staff logins:

Someone started on adapter which would allow Ghost to use Passport SSO strategies:

In turn, Passport supports logins via Google, SAML, TOTP, etc.

https://www.passportjs.org/packages/

Several of those strategies support a two-factor option as part of SSO.

Thanks @markstos. This looks like waaaay more effort than I can muster for my own website.

I guess I just won’t recommend Ghost to anyone until such a simple feature is available. :frowning_face:

I’m going to boldly resurrect this thread because this is so critical – Ghost Pro users don’t really have the option of custom infrastructure to mitigate this.

What would it take to get this prioritized? What kind of contribution would be required from the community, if it cannot be prioritized?

The option I would recommend for MFA today would be passkeys for admins.

I doubt the Ghost team would object to someone contributing the feature.

Someone needs to hire a dev to get it done, or perhaps it could be crowdfunded.

This is something I’ve been working on on-and-off. I wrote simple-mfa to abstract the MFA part out of Ghost, and I plan to add passkey support this month. I have a branch that integrates Ghost and simple-mfa, but the UI was based on the Ember Admin Settings, which no longer exists. Funding would definitely put this higher on my priorities.

3 Likes

We ware looking for MFA support for Ghost too.

If you want MFA for Ghost today, I recommend Social Sign On For Ghost, by @Cathy_Sarisky Single sign-on for Ghost

For $5/Month, you can sign-in with Google, and your Google Login can be protected by Google’s excellent MFA support.