Multi-factor authentication
Remove these ads. Join the Worldbuilders Guild
Multi-factor authentication
New Feature Addition · World management · Created by MoonRaven
accepted
Security MFA 2FA 2-factor-authentication authentication yubikey totp
Request
Security of accounts is always important. Even if you have a strong password, if it gets leaked, or if someone looks over your shoulder, having MFA would prevent them from gaining access without a second piece of information which will be different for every login session.MFA
Multifactor authentication works by providing 2 or more pieces of evidence to authenticate the user. In a lot of cases, TOTP (for example Google Authenticator) is implemented. Other examples are hardware keys like a YubiKey or SoloKey by using the FIDO standard. Other uses are, for example, by SMS or Email, which have been proven to be unreliable in the past.How does this feature request address the current situation?
Not everyone may want to use it, but by providing MFA, users can opt-in to have a more secure login to WA.What are other uses for this feature request?
This can also be used to prevent unauthorized password changes, world deletions or even generating new API keys.Follow up
Just a clarification, Google Authenticator uses the TOTP standard, it is NOT required to use Google Authenticator. You can use Microsoft Authenticator, Authy or any of the other TOTP apps.
I see downvotes on that this shouldn't be required, the request SPECIFICALLY says it should be opt-in. If you don't want to use it, that's fine, other people, like me, do want to. It's our security, if you don't want it, fine?
Also to clarify, a TOTP code is not extra information. It's a trust between you and the site. The site says "here's an extra code, scan it, and then you can generate temporary codes so you can authenticate yourself to us". There is no personal information stored. Keep in mind that WA says that if your delete an article, it is non-reversible. So if someone looks over your shoulder for your password, they can get in. A TOTP code will block that.
The Team's Response
Thanks for your suggestion and for all your comments! We're accepting this for a future update.
Current score
85/300 Votes · +19703 points
Votes Cast
-
+300
by ChairmanFirantine
on 2023-09-14 10:11 -
+300
by ashensoul314
on 2023-09-13 16:00 -
+300
by SnowKT
on 2023-09-13 14:56 -
+300
by MadToxin
on 2023-09-13 14:19 -
+300
by Grathew
on 2023-09-12 20:01 -
+300
by Goose80
on 2023-09-12 03:21 -
+300
by Pete Nelson
on 2023-09-11 20:10A lot of people won't/don't understand the technical jargon of the TOTP standard, etc., but the additional security for your account should be understandable to everyone. Many people don't use strong passwords. As a retired senior web application architect for a Fortune 50 company, let me assure you that it's incredibly easy to hack the majority of people's passwords. WA *needs* this.
-
+300
by Kippy_
on 2023-09-11 19:48 -
+300
by JaenJaenJaen
on 2023-09-11 18:35 -
+300
by DMFW
on 2023-09-11 14:55Yes if it is opt in. Would I personally opt in? Probably not if I'm honest as I only use WA on machines at home and consider an account hack unlikely (if never quite impossible) and I'm happy to balance the risk against the convenience. But it's not all about me and I absolutely understand why some people want it.
-
+300
by ThyPirateKing
on 2023-09-11 13:41It would be nice to have the option for Multi-Factor Authentication. Rather it be with the Google Authenticator (which would be my preference) or otherwise. It shouldn't be a requirement to use and/or make an account. But I think the option of more security is always a good thing no matter what, as long as you can still opt out if you want to.
-
+300
by MultyLyminus
on 2023-09-11 12:46 -
+300
by zekompozer
on 2023-09-11 07:14Please yes, and the more options the merrier (time-based with backup codes, email, etc.).
-
+1
by A Enfeebled Unicorn
on 2023-09-11 02:04 -
-300
by Jubliana
on 2023-09-09 20:48It's already a massive pain to log into WA from a tablet at a new location and many times I've had to just wing it anyway as I could not get the account to let me in. The shenanigans if my phone is dead will be unimaginable. At the very least, add it inside the account if someone wants to make billing changes, but not just getting into the editor.
-
+100
by Keon Croucher
on 2023-09-09 09:18If its opt in, then I'm down. Again its a hobby space for me. If someone got in here, since I only ever do this or open WA in my own residence that means it'd be someone I had in my home. So I'd just knock some heads til someone fessed up, and make em cough up whatever the new login was, login, chance it back, and then exile them from my life forever. So I wouldn't use this, and wouldn't want to be forced to.
-
+300
by Destroyer831642
on 2023-09-09 01:57 -
+100
by Thorolf_Skallagrim
on 2023-09-09 01:49 -
+100
by kalonaplays
on 2023-09-08 20:24 -
+300
-
+300
by GalloEX
on 2023-09-08 05:02 -
+300
by DemonDC
on 2023-09-07 22:24 -
+300
by finaldraftrpg
on 2023-09-07 09:32My WorldAnvil account has hundreds of thousands of words of lore, information, and content all conveniently arranged. Losing it all to a bad actor would be an extremely sad state of affairs, so I would strongly approve of anything that makes it harder for bad actors to get access to my account.
-
+300
-
+100
by Slinkadath
on 2023-09-07 02:30 -
+300
by A Thundering Devil
on 2023-09-06 19:24 -
+300
by MasterTamari
on 2023-09-06 15:47 -
+100
by Starsavior
on 2023-09-06 11:33 -
+100
by BagicalMindi
on 2023-09-05 17:11 -
+1
by Buzzard
on 2023-09-05 01:43 -
+300
by Tobus
on 2023-09-04 18:19 -
+300
by illumiinae
on 2023-09-04 02:11 -
+100
by FredTheGreatWizard
on 2023-09-03 15:11 -
+300
by Polyduces
on 2023-09-03 13:46 -
+300
-
+300
by crossesk
on 2023-09-02 11:55Definitely should be an option for public creators. Wouldn't recommend making it mandatory yet.
-
+1
by AvalonArcana
on 2023-09-02 00:40 -
+300
by godlyginger13
on 2023-09-01 22:40 -
+300
by Kydra_Hunter
on 2023-09-01 19:10 -
+300
-
+300
by nflagey
on 2023-09-01 03:10 -
+100
by Mally1994
on 2023-08-31 19:55 -
+100
-
+300
by A Beloved Dragon
on 2023-08-31 06:58 -
+300
by Sh4d0wPh03n1x
on 2023-08-31 06:07 -
+300
by Imper1um
on 2023-08-30 21:18 -
+100
by Silas_Clockwork
on 2023-08-30 15:06 -
+300
by Mr_mal
on 2023-08-30 03:48 -
+300
by PurpleFeathers
on 2023-08-30 02:55 -
+300
by Enoris.leinwand
on 2023-08-29 21:11 -
+300
by Ailill Blackwood
on 2023-08-29 20:34 -
+300
by Cobblers95
on 2023-08-29 19:56 -
+300
by themrbeasley
on 2023-08-29 19:32 -
+300
by CTEJedi
on 2023-08-29 15:17 -
+300
by ChalktheDM
on 2023-08-29 13:30 -
+300
by A Revolutionary Dragon
on 2023-08-28 22:35This should be standard
-
+300
by Lakuna
on 2023-08-28 17:16 -
+100
by Alexvandy35
on 2023-08-28 14:36 -
+300
by Shaen
on 2023-08-28 13:52 -
+100
by MKirk17
on 2023-08-28 09:04 -
+300
by A Filthy Velociraptor
on 2023-08-28 00:41 -
+300
by Thyachalis
on 2023-08-27 15:03 -
+100
-
+300
by pbrand
on 2023-08-27 07:23 -
+300
by Alyvins
on 2023-08-27 01:31 -
+300
-
+300
by hwcarver
on 2023-08-26 16:50I read the proposal and understand that the MFA is suggested to be opt-in. I would opt in. Among other reasons, the added security appeals to me because I don't want WIP/draft content accessed without my explicit consent.
-
+300
by Bonus Action
on 2023-08-26 13:34As someone who uses WA as a part of my business, I would like to see this implemented. I do agree that opt-in would probably be the best as I understand for others it might just be annoying.
-
+300
by Rinzler
on 2023-08-26 04:50 -
+300
by tarkinlarson
on 2023-08-25 17:50 -
+300
by SyntaxChick
on 2023-08-25 17:40 -
-100
by A Mischievous Dwarf
on 2023-08-25 12:26Multi-factor authentication is a pain even when it's necessary. I don't think it's necessary here.
-
+300
by Nimsy
on 2023-08-25 09:00While very similar to a recent made suggestion about upgrading security, I'll still throw some coins in as I'd very much like to see upgrades to login security to the site. TFA/MFA would be a pretty good opt-in feature, along with better email verification.
-
-1
by SebGreg732
on 2023-08-24 14:01This is very similar to another request that was just made about enhanced security. I genuinely don't think a fun, world-building/story-telling site like World Anvil should be gathering or requiring even more personal information about us than it already does. If these things are implemented, they should be opt-in.
-
-300
by Sai_
on 2023-08-24 09:14 -
+300
by A Enfeebled Orc
on 2023-08-24 06:58 -
+300
by Drasvin
on 2023-08-23 22:50 -
+100
by Byzantian
on 2023-08-23 22:20 -
+300
by Rahjar
on 2023-08-23 21:33 -
+100
by JoellaKay
on 2023-08-23 21:24As an option for those who want it, yes. I prefer SMS or Microsoft Authenticator, myself
-
+1
by Koaster
on 2023-08-23 20:42 -
+300
by A Enfeebled Dragon
on 2023-08-23 19:00I would definitely love YubiKey compatibility. I prefer to stay away from Google because they have way too much of my personal information already, but I don't mind it being there as an option.
-
+300
by Demongrey
on 2023-08-23 16:11 -
+300
by strixxline
on 2023-08-23 14:56As someone who has been victim of this age's frequent data leaks, I'd feel a lot cozier if there was an extra layer of security on my favorite site!
-
+300
by J.K.H
on 2023-08-23 14:50 -
+300
by MoonRaven
on 2023-08-23 14:48
Find your way!
Resources
WHO WE ARE
LEGAL
Get the news
Listen to our Podcast
Our Allies
by 3 Armored Kittens · Prodromos v.1.1 - World Anvil 0.9.15.009 © 2017-2024 [en] | Anvil Time: 10:04, May 2 2024