Plans to support proper 2FA such as FIDO or Passkeys?

The in-built e-mail second factor is not as reliable and requires to store e-mail account data on the website which is not ideal from a security perspective.

Is there a plan to integrate proper 2FA such as generation of QR-Codes for TOTP or even FIDO/Passkey Support built-into Kirby? IHMO this is so super important nowadays that this should be done.

Thanks
Andreas

Not that I’m aware of, at the moment the focus is on the release of Kirby 4, so any new features would have to wait until after this release.

Feel free to create a feature request on https://feedback.getkirby.com

Done: Support modern authentication: FIDO/Passkeys, TOTP, OTP etc · Kirby Feedback (nolt.io)

However, I think that such a crucial security point should not be voted on, it should be built-in on a serious plattform such as Kirby.

</Strong suggestion rant end>

1 Like

You could have a look at implementnig auth challenges as described in the docs:

Thank you I have seen this but I am not a professional programmer so I will not try to implement authentication on my own that is too risky. Neither should people who don’t know Kirby as well as the core team does that is why I am saying this should absolutely be a core feature.

1 Like

Agreed. 2FA should be the standard these days. I suppose in lieu of such a feature, it’s important to keep good backups, so if the worst does happen, you can always restore.

We are in the year 2023 and this should be self-evident :thinking: I’d recommend version control systems like Git.

Something can always go wrong, even if you are not hacked.

1 Like

Loosing the content might be painful but is nothing compared to other things than can happen. For example: you have third party integrations with APIs key such as your CRM or newsletter system and a hacker steals customer data. Or you saved access data to an e-mail account, opening up a whole different can of worms. Or what about payment systems? The list goes on and on.

Good news, seems to be coming in v4 :slight_smile: See Thread on Discord

At least TOTP - Passkeys we’d like but maybe later, not 4.0

1 Like

True but at least TOTP :slight_smile: :+1:

Hi!

I’m using GitHub - rasteiner/k3-fido2: ⚠️Experimental⚠️ FIDO2 / WebAuthn Login Screen for Kirby 3 with my Kirby site and it works like a charm.
Sooooo convenient.

Perhaps you can support @rasteiner to remove the experimental state :wink:

My Nolt vote will also come.

But I also agree … let them finish k4 and squeeze bugs and than add new functionality. Of course we can demand a lot, but then we also need to pay much more :wink:

That’s very kind of you, but I agree that such functionality is best given by the core.

My repo is just an exploration, to see what kind of challenges one could face when implementing something like this and to give basic ideas on how the UX could work… I always think it’s easier to improve on something rather than starting from scratch.
As an example, my experiment shows that it would be ideal if we could disable password logins for users that have registered a passkey*, and that doing this with the current (kirby 3) API isn’t exactly easy.

* one of the advantages of passkeys is that you eliminate the threat of phishing sites, because users simply don’t have any credentials they could leak. Obviously if you let users skip the passkey challenge and let them login with a normal password that advantage is lost, and at that point the passkey only provides a false sense of security.

I totally agree as well. Login to the system must be part of the system, especially if UX and security are improving.

Since everyone should only work 8 hours a day and the backlogs are exploding, I recommend to get inspired by your experiment—including the core members.

I enjoy the future already :sunglasses:

1 Like

+1 for passkeys. Heading to Nolt to vote.