Add optional 2FA. Should support Authenticator Apps and Backup Codes at least. If y'all feel like it, Security Keys and Passkeys too.
Topic: (Feature Request) Two-Factor Authentication
Posted under Site Bug Reports & Feature Requests
anonymousfurry123 said:
Add optional 2FA. Should support Authenticator Apps and Backup Codes at least. If y'all feel like it, Security Keys and Passkeys too.
Why?
calydor said:
Why?
So that others can't access to your account even if they had access to your login info. I mean not too long ago we had fuckton of hijacked accounts spamming the site with junk.
I had worked on this nearly a year ago, and had a full implementation
I was in the process of getting it implemented into the site when some things went down, while not all that complicated it's still a lot of moving parts
It was going to be 3 parts, with part one only getting merged after 9 months (it was practically feature complete in September 2024)
However I left staff and development of e6 just a few days after this was merged, so unless someone else picks up the torch (looking at you Aacafah), it's dead in the water
Some example screenshots: [1] [2] [3] [4]
![[1]](https://i.imgur.com/bQAnRwG.png){kind=link}
![[2]](https://i.imgur.com/gGlQ2OF.png){kind=link}
![[3]](https://i.imgur.com/tSb1sdb.png){kind=link}
![[4]](https://i.imgur.com/dVrTiCS.png){kind=link}
calydor said:
Why?
Objectively good security features are never a "why"
Updated
I've asked for this before, though not here. It's also not too hard to add - I could do it myself if there's enough interest, though working with Ruby is annoying.
donovan_dmc said:
It was going to be 3 parts, with part one only getting merged after 9 months (it was practically feature complete in September 2024)
However I left staff and development of e6 just a few days after this was merged, so unless someone else picks up the torch (looking at you Aacafah), it's dead in the water
sigh... alright, you got me. I'll add it to my todo list.
While we’re at it, maybe also add OAuth login flow so people can sign up with “Log in with Facebook” etc?
Strongly agree with this suggestion. Preferably with Yubikey and similar support. We've had at least one instance of a password manager being hacked and mass account takeovers as a result. MFA support would make that much less likely to occur.
aacafah said:
sigh... alright, you got me. I'll add it to my todo list.
If you do actually pick it up this was part two
I'm sure it could easily be decoupled, but both together are good security additions
I'm also sure the surrounding code on both sides has changed significantly since this was originally made (it has been 15 months), so it won't be an easy copy-paste job but the two codebases should still be fairly close (unlike now where they are wildly incompatible)
Updated
0f8c4c9d05154171ae8 said:
While we’re at it, maybe also add OAuth login flow so people can sign up with “Log in with Facebook” etc?
mklxiv said:
Strongly agree with this suggestion. Preferably with Yubikey and similar support. We've had at least one instance of a password manager being hacked and mass account takeovers as a result. MFA support would make that much less likely to occur.
Ok, let's take this one step at a time. Updating a completed feature for the current codebase & adding a wholly new feature are 2 different beasts; I'm not saying no, but I am saying that's not happening soon (my todo list is too big as is). If you remember, ask me in a month or so. And no, I'm not saying that to be dismissive, actually feel free to remind me when I might have the time.
donovan_dmc said:
If you do actually pick it up this was part two
I'm sure it could easily be decoupled, but both together are good security additions
I'm also sure the surrounding code on both sides has changed significantly since this was originally made (it has been 15 months), so it won't be an easy copy-paste job but the two codebases should still be fairly close (unlike now where they are wildly incompatible)
I'll see how compatible they are when I add the other one & make a call then, but a quick look says it's something we've been talking about adding, so it'll probably end up on my plate eventually; thanks for the head-start!
Updated
aacafah said:
Ok, let's take this one step at a time. Updating a completed feature for the current codebase & adding a wholly new feature are 2 different beasts; I'm not saying no, but I am saying that's not happening soon (my todo list is too big as is). If you remember, ask me in a month or so. And no, I'm not saying that to be dismissive, actually feel free to remind me when I might have the time.
I've worked as a developer (both as a web developer and doing .NET stuff) so I understand, consider my feedback as a suggestion and not a demand. :P Also I wanna state I was agreeing with the OP, I wouldn't want to log in with social media here (or anywhere, but that's just me).
Imagine if we made e6 an OAuth provider, that would be pretty lit. "Log in with e621"
Updated
catt0s said:
Imagine if we made e6 an OAuth provider, that would be pretty lit. "Log in the e621"
That’d be pretty neat indeed. Would instantly hit HackerNews front page.