The in-built e-mail second factor is not as reliable and requires to store e-mail account data on the website which is not ideal from a security perspective.
Is there a plan to integrate proper 2FA such as generation of QR-Codes for TOTP or even FIDO/Passkey Support built-into Kirby? IHMO this is so super important nowadays that this should be done.
Thank you I have seen this but I am not a professional programmer so I will not try to implement authentication on my own that is too risky. Neither should people who don’t know Kirby as well as the core team does that is why I am saying this should absolutely be a core feature.
Agreed. 2FA should be the standard these days. I suppose in lieu of such a feature, it’s important to keep good backups, so if the worst does happen, you can always restore.
Loosing the content might be painful but is nothing compared to other things than can happen. For example: you have third party integrations with APIs key such as your CRM or newsletter system and a hacker steals customer data. Or you saved access data to an e-mail account, opening up a whole different can of worms. Or what about payment systems? The list goes on and on.
Perhaps you can support @rasteiner to remove the experimental state
My Nolt vote will also come.
But I also agree … let them finish k4 and squeeze bugs and than add new functionality. Of course we can demand a lot, but then we also need to pay much more
That’s very kind of you, but I agree that such functionality is best given by the core.
My repo is just an exploration, to see what kind of challenges one could face when implementing something like this and to give basic ideas on how the UX could work… I always think it’s easier to improve on something rather than starting from scratch.
As an example, my experiment shows that it would be ideal if we could disable password logins for users that have registered a passkey*, and that doing this with the current (kirby 3) API isn’t exactly easy.
* one of the advantages of passkeys is that you eliminate the threat of phishing sites, because users simply don’t have any credentials they could leak. Obviously if you let users skip the passkey challenge and let them login with a normal password that advantage is lost, and at that point the passkey only provides a false sense of security.
I totally agree as well. Login to the system must be part of the system, especially if UX and security are improving.
Since everyone should only work 8 hours a day and the backlogs are exploding, I recommend to get inspired by your experiment—including the core members.