Could I please ask people how they go about forcing two factor authentication for users?
I have found users tend to sharing logins otherwise.
Looking at Ghost for a project but wonder about this aspect?
Thank you
1 Like
It’s not supported at the moment, nor is OAuth that would allow authentication through a third party that does support 2FA. It has been discussed before though.
1 Like
How about now?
3 Likes
Just came across this post as I set up my first Ghost instance.
It is 2021 and MFA via TOTP would be really a great feature. And it is really an accepted and widely available standard these days.
#MFANow
2 Likes
Stumbled upon Multi-factor authentication before reading this post.
I totally agree with @HachimanSec about TOTP being a great decentralized multi-factor authentication option that Ghost could implement.
2 Likes
I’d just chuck Cloudflare Zero trust policies in front of it for now using their free teams access offering to get an email OTP to login.
I wrote about doing this, this month - under the section: Protect Ghost Admin Login with Cloudflare Teams
1 Like
It’s 2023 please implement TOTP 2FA
5 Likes
I would also like to throw my customer-ness behind the request to have 2fa implemented. Is that a ghost(pro) platform limitation, or an open-source Ghost missing functionality?
ie can we, the community implement it and ghostpro will use it, or do y’all need to take charge on it?
1 Like
My blog got hacked and deleted and there is nothing I can do about it.
I will never use ghost pro again. I moved to substack which has 2FA and free.
2 Likes
They say that anyone is welcome to develop features and add them to the project, so do you want to help implement the open source PrivacyIDEA? Here’s a link to their API. This is a guide for implementing OTP
Alternatively, there is Ory, “Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.”
I’m busy setting up my website at the moment but I’ll be exploring these in the future. If you want to help me find what works and what doesn’t I would appreciate it. I’ll add these links to the MFA request thread to see if anyone else wants to help. It seems like it’s in demand and necessary, as poor @sharon_s found out.
This was first asked for 5 years ago and I can’t find any documentation on the Git about it, so it looks like it’s up to us.
1 Like
Hello,
I’ve signed up specifically to request 2FA/MFA. I had been trying to persuade friends to convert from Wordpress to Ghost but the lack of 2FA/MFA was a huge issue, and I can understand it. Many people process financial and other sensitive data on sites now and are legally held responsible for leaks/breaches. Not being able to protect with 2FA/MFA is a very 15+ year old issue. In some ways, it reminds me of my teen years hanging around coffee shops sniffing passwords because everything was sent unencrypted. This had been a feature request for many years, why hasn’t anyone picked it up?
I note that @Itchy has offered to do some dev towards it, and I’d be willing to help as well (15+ sysadmin/dev experience), but it would be good to see some effort towards enhancing security of the platform from the Ghost team. I really like the suggestion of FIDO2, being able to login with my Solokey would be beautiful.
Cb
1 Like
Just to add, I hope all visitors who think MFA would be good for Ghost have already headed over to the Ideas post on this (already referenced above).
Having said that, if using Ghost Pro, access is needed to the email account that’s linked to the login credentials that are being allegedly “shared”, so those credentials would also have to be shared.