[Feature Request] Please add U2F webauthn support as another form of 2FA.
- Thread starter greatwolf
- Start date
Just wanted to add to this, there are two approaches to getting webauthn support on to dash forums:
- Use this Xenforo addon https://xenforo.com/community/resources/digitalpoint-security-passkeys.8738/
- Migrate to discourse.org which has webauthn already built-in.
- Use this Xenforo addon https://xenforo.com/community/resources/digitalpoint-security-passkeys.8738/
- Migrate to discourse.org which has webauthn already built-in.
We already have 2FA available through Authenticator, it is just not required to create an account, I 2FA because I have to
as an Admin/Moderator. You can do the same to protect your account. @strophy do you think the Forum needs an extra
2FA option?
Last edited:
Offering multiple 2FA options is always preferable. Many well-known sites already use this eg. twitter, google, cloudflare, protonmail even yahoo. The general direction of the industry is moving towards better FIDO support.
Many of us have hardware wallets(or at least should) and they more than likely support some kind of U2F. I know for certain Trezor, KeepKey and Ledger does. It all but eliminates phishing attacks and if all that's needed to support this is adding a forum plugin, well why not? It's an increase in security without too much effort.
Many of us have hardware wallets(or at least should) and they more than likely support some kind of U2F. I know for certain Trezor, KeepKey and Ledger does. It all but eliminates phishing attacks and if all that's needed to support this is adding a forum plugin, well why not? It's an increase in security without too much effort.
Yes No.
I agree it's generally good to have options but I disagree the general industry is moving towards it.
U2F has been around for years but certain institutions, especially banking, are very reluctant to move away from soft KYC. This is to say, they prefer to send plain old SMS and emails because these kind of things leave lots of metadata hanging around for analysis.
Having said that, U2F provides guarantees that the same person is performing the same tasks / writing comments on forums. Regular 2FA does not provide this guarantee and some people such as myself believe that is a good thing. i.e. the 2FA secret can be shared or stolen from a server and thus give me plausible deniability.
At the end of the day, I think it's just a forum with no financial implications and U2F does not protect your anonymity. So really this just comes down to admins and whether they are willing to take on the work.
I agree it's generally good to have options but I disagree the general industry is moving towards it.
U2F has been around for years but certain institutions, especially banking, are very reluctant to move away from soft KYC. This is to say, they prefer to send plain old SMS and emails because these kind of things leave lots of metadata hanging around for analysis.
Having said that, U2F provides guarantees that the same person is performing the same tasks / writing comments on forums. Regular 2FA does not provide this guarantee and some people such as myself believe that is a good thing. i.e. the 2FA secret can be shared or stolen from a server and thus give me plausible deniability.
At the end of the day, I think it's just a forum with no financial implications and U2F does not protect your anonymity. So really this just comes down to admins and whether they are willing to take on the work.
Last edited:
Why would you need to login to the Forum from a hardware wallet? This is a discussion website, not a wallet or exchange.
It doesn't have to be a hardware wallet, it's just an example. Any FIDO compliant security key will work.
The question remains. I mean, up to you of course, but why? Do you not mind there would be mathematical proof that the things you say across all the forums were published by the same person?
That's what U2F does, the device is signing messages as proof that it is you. Same public key principles as gpg and dash addresses. TOTP on the other hand uses a shared secret which affords you some plausible deniability.