I am surprised I did not find this feature request by searching the forums. Someone please point out another post of his feature request to me, if I have missed one. I tried:
Two factor authentication
2 factor auth
Multi-factor auth
Use case or problem
Account security is always weak when it is based solely on a password, no matter how long that password may be.
While Obsidian has only the 1 password security solution, all user data is under unnecessary risk. While the data may be encrypted on the Obsidian servers, the attack vector of the user (stealing their password via phishing or social engineering) bypasses this entirely.
Proposed solution
Two Factor Authentication as an option for logging into my Obsidian account. Both online and in the app.
Authenticator code is fine as a default (as it can be done for everyone with a phone) but a further option for Security Key would be much muuuch better.
Hell, even these forums have Two Factor Authentication for both Authenticator code and Security Key! I think my conversations here are a lot less important to protect than the entirety of my collected notes and thoughts
Edit: also, 2fa would protect ones account from being taken over, including your purchased licenses.
Yeah, any form of Two Factor Authentication would be good for actually logging into our accounts. If the feature were to be implemented, further on maybe there could also be the security key functionality.
This is currently the thing stopping me from using Obsidian. The service looks amazing! I advocate for security key support as SMS and app based is legacy at this point. Webauthn is definitely best, but I would be happy with app based too.
I have to vote +1 for this also; 2fa is an important feature for sync.
Those of us that use Obsidian for business and deal with sensitive information where there is either (1) a legal duty to protect that information; (2) an above average risk that bad actors will seek to gain access to the data; or (3) both— having as many practical security options possible is one of the most, if not the most, important considerations in selecting a product to trust.
And I think those who choose Obsidian’s sync service are security conscious and would overwhelmingly make use of the capability to add more protection.
I just paid for Sync and was very surprised not to see TfA available when registering an account. It is a basic security requirement these days. So big upvote for this feature request.
I really like Obsidian’s philosophy, and I would love to enable sync. I would probably subscribe to the service anyway to support the team, but I think supporting MFA is essential (with multiple Security Keys as the OP recommends).
Surprisingly, the feature is already available here on the forum (I have 2 YubiKeys registered) but not on the main service. The forum platform probably supports this out of the box, but the lack of strong encryption can prevent many of us from using Obsidian for anything serious.
Apologies for not being clear. @stevelw you are right: my dream setup would be to have my data encrypted using a hardware key (ideally a set of interchangeable keys, to be protected in case one is lost or damaged). This would be relevant for the remote files, the local files are fine as they are. I would also love to see a paper describing the encryption techniques used.
That being said, I doubt most people will care much about this, and to be honest, there are other places to store highly confidential data.
Quick update: I ended up subscribing to the sync plugin because of the 1-year history on notes, but mostly to support the team.
There is a separate encryption password, so the encryption is not linked to the login password (which was my worry). This is definitely good enough for me; I use a completely random 100-character string stored securely.
I don’t think MFA on the Obsidian account would add much security; even if someone managed to get my credentials, they could only see the list of my vaults but not access the content.
It’s not an issue using the same password for authentication and encryption, if it’s implemented correctly — see LastPass’ encryption for example. This means you don’t need to keep track of two things.
The benefit of MFA is usually to prevent an offline attack. I’ve not used Sync myself — but assuming they’re not doing the encryption on their servers (bad) in this situation the attacker could just pound on it on their computer until they guess the password.
@taglia as @stevelw suggests, the encryption password is completely separate from this issue. That is one more hurdle a bad actor must jump through in order to get your vault data, however they have a lot of useful data before that point.
Here is all the data I can think of that one can see about you from looking at your Obsidian Account on the website or by signing in on the Desktop app.
Stage 0
No Knowledge Of You
< Required to pass to Stage 1: Email; Password; [Suggestion: 2FA] >
Stage 1
Access to Your Obsidian Account Online.
This gives knowledge of your:
Email
Full Name
Last 4 digits of your payment details
Which licenses you have purchased
All of your remote vaults
And gives the ability to:
Delete your account
Change your password
Change your email
Sign into your account on another device and use your licenses.
Edit your Obsidian Published sites (? Needs verified. I believe it would allow you to replace an existing site with a new one)
Download your remote repositories. Even without knowing the encryption key, the bad actor now gains the ability to brute force your vault by continually guessing different passwords until they get it right, if they have a powerful computer(s). Depending on your encryption password this could take somewhere between days or decades to guess. Though technology is always improving, and this attack surface should still be protected.
No notification is given when someone logs into your account from a new computer/ip (that I have seen) so the exposed user would be unaware of the issue unless the bad actor did something to reveal themselves.
< Required to pass to Stage 2: Encryption Key(s) >
No 2FA option for a sync account is really the only thing stopping me from using Obsidian more and purchasing multiple accounts for my colleagues. I’d really like to adopt the tool more broadly, so +10000 to this feature. Doesn’t have to be fancy, but would prefer the option for app-based 2FA (like google authenticator) rather than SMS based 2FA (although you usually get one if you get the other).
If this wasn’t clear from the previous replies I want to reiterate that the
Login credentials are separate from the password you use for end to end encryption.
Two factor authentication would be an extra layer for login part.
This is (minor) misunderstanding:
The knowledge of login credentials DO NOT enable you to download the encrypted version of your vault, you still need your remote vault password for that.
The knowledge of login credentials DO NOT enable you to download the encrypted version of your vault, you still need your remote vault password for that.
This is new information, thanks for sharing. However… are you saying the password is sent over the web to Obsidian HQ, where it is then checked against your Vault? (And if all good then it allows the Vault to be downloaded, otherwise it does not) That has it’s own security concerns
Even ignoring those, I hope you can see that removing the whole “Downloading your encrypted vault” point is but one of many I give in this post. Two Factor Authentication is necessary for proper protection of a user’s data and their account.
And as @chrissanders requested having 2FA for the Encryption (optionally) would be an added bonus, as then us users would retain the only access possible to the data, and Obsidian themselves would have none (and thus more security is achieved).
