Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Passkey / other 2FA methods #181

Open
thomassth opened this issue Dec 12, 2024 · 2 comments
Open

Support Passkey / other 2FA methods #181

thomassth opened this issue Dec 12, 2024 · 2 comments

Comments

@thomassth
Copy link

thomassth commented Dec 12, 2024
edited
Loading

Related to bluesky-social/social-app#1071; this issue is a feature request for relevant backend implementation.

Other relevant discussion: #99 (comment)

Is your feature request related to a problem? Please describe.

2 Factor authentication is generally a very handy feature for security purposes as passwords and logins sometimes fail. 2 Factor Authentication has become a very common addition to the login suite for protection.

Describe the solution you'd like

Implementation and support of some kind of 2FA support for accounts, besides email

For example:

  • Passkeys
  • Hardware security key such as YubiKey
  • TOTP codes, used with Google Authenticator etc

Describe alternatives you've considered

While better than SMS, email is still relatively insecure when compared to other authentication measures.
@MarkBennett
Copy link

MarkBennett commented Dec 12, 2024
edited
Loading

One comment on the Passkey implementation. It would be handy to allow adding multiple passkeys to an account.

For example, I use 1Password, Mac OS Keychain, and Google Password Manager on various devices. Though I try to use 1Password exclusively, having backups Passkeys in the keychain and Google would give me extra confidence my account is secure but that I won't ever lose access either. Therefore, I'd appreciate being about to add multiple Passkeys to my account.

To distinguish them, recording a unique name supplied by the user as well as the date added would be helpful.

@MarkBennett
Copy link

Separately, I've noticed that some sites require you to enter your email, then only prompt for the passkey when the user clicks on the password input. Technically, the passkey includes all relevant information (email, handle, etc) so it would be ok to prompt for a passkey when the user clicks on the email/handle field, or even when the login page is first displayed.

I'd be curious to know if others have feelings on this, as prompting too early could annoy users that haven't yet set up passkeys. It doesn't seem like norms or best practices for this have fully developed yet, so it would be worthwhile considering what other popular Passkey consumers do.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MarkBennett @thomassth