As we all here on WorldAnvil know, worlds can be a dangerous place, and our own world is no exception. As WorldAnvil grows it is likely to start attracting people with the intent to cause harm or mischief.
In order to increase the security of our worlds I would like to see some form of MFA implemented in order to add another layer of defence against unwanted account access.
Multi-Factor Authentication works by using a second device/service as another requirement to log into the account. It is a requirement for the codes to be randomly generated and only useful for a limited amount of time/uses.
Common solutions include, but are not limited to:
All of them have merit, but the SMS version is likely going to have a higher ongoing cost, probably making the other options more likely.
MFA could be expanded to be used in other sensitive areas as well, for example world deletion, article deletion (probably wanna turn MFA off when deleting many articles), accessing sensitive account settings (API keys, password change, etc.), changing subscription settings, etc.
Of course it would be best if we had the ability to choose where we want MFA to be necessary. I can see many people turning it off for article deletion.
A neat addition would be if we could say "If there is more than x amount of activity, ask for MFA". An example would be to not request MFA for deleting an article or two, but if suddenly a lot of articles are being deleted, then it comes into play.
I cannot use SMS or email in my country to gain access to western websites. Please do not do this.
When changing password, email address, payment information, or accessing other higher security concerning parts of the account should require mandatory email verification as a minimum. Having other optional forms of MFA and having MFA for other features such as deleting worlds/articles, logging into the account, changing sharing/view permissions would be nice.
No no no no no please no! If you must, at the very least make it optional. If I get locked out of my own account because of excessive security measures one more time I'm going to kill myself.
As any security nutter, I'd really appreciate an opportunity to use an authenticator app for this.
I hate two-factor authentication. As someone with a slew of memory and functioning problems, it's incredibly frustrating not being able to access a site or an email or my medical documents because I forgot/broke/lost my phone, or I can't get into my other account, or I just needed to get in for 10 seconds but now I have to leave and the verification hasn't even arrived yet. All of that said, the security benefits trump my personal downfalls lol.
MFA is great when properly used. If World Anvil does use it consider an app, like Google Authenticator instead of SMS.
I am a big proponent of 2FA for all things. If you're reading this and do not currently have 2FA for your other accounts, go do it now.