Two factor authentication?

SydneyDev · January 23, 2020, 10:30pm

Could I please ask people how they go about forcing two factor authentication for users?

I have found users tend to sharing logins otherwise.

Looking at Ghost for a project but wonder about this aspect?

Thank you

StuartMorrisAU · January 24, 2020, 1:28pm

It’s not supported at the moment, nor is OAuth that would allow authentication through a third party that does support 2FA. It has been discussed before though.

shodandad · May 6, 2021, 9:26pm

How about now?

HachimanSec · May 10, 2021, 9:15am

Just came across this post as I set up my first Ghost instance.

It is 2021 and MFA via TOTP would be really a great feature. And it is really an accepted and widely available standard these days.

#MFANow

sunknudsen · January 25, 2022, 11:00pm

Stumbled upon Multi-factor authentication before reading this post.

I totally agree with @HachimanSec about TOTP being a great decentralized multi-factor authentication option that Ghost could implement.

Alexg · January 26, 2022, 12:19am

I’d just chuck Cloudflare Zero trust policies in front of it for now using their free teams access offering to get an email OTP to login.

I wrote about doing this, this month - under the section: Protect Ghost Admin Login with Cloudflare Teams

rchase · January 2, 2023, 6:39pm

It’s 2023 please implement TOTP 2FA

javorszky · February 13, 2023, 2:01pm

I would also like to throw my customer-ness behind the request to have 2fa implemented. Is that a ghost(pro) platform limitation, or an open-source Ghost missing functionality?

ie can we, the community implement it and ghostpro will use it, or do y’all need to take charge on it?

sharon_s · February 24, 2023, 9:58am

My blog got hacked and deleted and there is nothing I can do about it.

I will never use ghost pro again. I moved to substack which has 2FA and free.

Itchy · March 26, 2023, 8:32am

They say that anyone is welcome to develop features and add them to the project, so do you want to help implement the open source PrivacyIDEA? Here’s a link to their API. This is a guide for implementing OTP

Alternatively, there is Ory, “Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.”

I’m busy setting up my website at the moment but I’ll be exploring these in the future. If you want to help me find what works and what doesn’t I would appreciate it. I’ll add these links to the MFA request thread to see if anyone else wants to help. It seems like it’s in demand and necessary, as poor @sharon_s found out.

This was first asked for 5 years ago and I can’t find any documentation on the Git about it, so it looks like it’s up to us.