Two Factor Authentication

I am surprised I did not find this feature request by searching the forums. Someone please point out another post of his feature request to me, if I have missed one. I tried:

  • Two factor authentication
  • 2 factor auth
  • Multi-factor auth

Use case or problem

Account security is always weak when it is based solely on a password, no matter how long that password may be.

While Obsidian has only the 1 password security solution, all user data is under unnecessary risk. While the data may be encrypted on the Obsidian servers, the attack vector of the user (stealing their password via phishing or social engineering) bypasses this entirely.

Proposed solution

Two Factor Authentication as an option for logging into my Obsidian account. Both online and in the app.

Authenticator code is fine as a default (as it can be done for everyone with a phone) but a further option for Security Key would be much muuuch better.

Hell, even these forums have Two Factor Authentication for both Authenticator code and Security Key! I think my conversations here are a lot less important to protect than the entirety of my collected notes and thoughts :wink:

Edit: also, 2fa would protect ones account from being taken over, including your purchased licenses.

25 Likes

While 2FA makes sense for online/sync, it doesn’t make sense for local authentication as the files are all there in the file system.

3 Likes

I was referring to logging into your Account in the app (in the Account tab in Settings) which is required for Sync or Publish.

1 Like

Yeah, any form of Two Factor Authentication would be good for actually logging into our accounts. If the feature were to be implemented, further on maybe there could also be the security key functionality.

1 Like

+1 for this- 2 factor is necessary and crucial for Obsidian Sync to be as secure as third party sync solutions!

3 Likes

This is currently the thing stopping me from using Obsidian. The service looks amazing! I advocate for security key support as SMS and app based is legacy at this point. Webauthn is definitely best, but I would be happy with app based too.

3 Likes

I have to vote +1 for this also; 2fa is an important feature for sync.

Those of us that use Obsidian for business and deal with sensitive information where there is either (1) a legal duty to protect that information; (2) an above average risk that bad actors will seek to gain access to the data; or (3) both— having as many practical security options possible is one of the most, if not the most, important considerations in selecting a product to trust.
And I think those who choose Obsidian’s sync service are security conscious and would overwhelmingly make use of the capability to add more protection.

2 Likes

I just paid for Sync and was very surprised not to see TfA available when registering an account. It is a basic security requirement these days. So big upvote for this feature request.

2 Likes

I really like Obsidian’s philosophy, and I would love to enable sync. I would probably subscribe to the service anyway to support the team, but I think supporting MFA is essential (with multiple Security Keys as the OP recommends).

Surprisingly, the feature is already available here on the forum (I have 2 YubiKeys registered) but not on the main service. The forum platform probably supports this out of the box, but the lack of strong encryption can prevent many of us from using Obsidian for anything serious.

Just to be pedantic, 2FA is authentication not encryption.

Apologies for not being clear. @stevelw you are right: my dream setup would be to have my data encrypted using a hardware key (ideally a set of interchangeable keys, to be protected in case one is lost or damaged). This would be relevant for the remote files, the local files are fine as they are. I would also love to see a paper describing the encryption techniques used.

That being said, I doubt most people will care much about this, and to be honest, there are other places to store highly confidential data.

MFA would be a good addition in any case.

Quick update: I ended up subscribing to the sync plugin because of the 1-year history on notes, but mostly to support the team.

There is a separate encryption password, so the encryption is not linked to the login password (which was my worry). This is definitely good enough for me; I use a completely random 100-character string stored securely.

I don’t think MFA on the Obsidian account would add much security; even if someone managed to get my credentials, they could only see the list of my vaults but not access the content.

It’s not an issue using the same password for authentication and encryption, if it’s implemented correctly — see LastPass’ encryption for example. This means you don’t need to keep track of two things.

The benefit of MFA is usually to prevent an offline attack. I’ve not used Sync myself — but assuming they’re not doing the encryption on their servers (bad) in this situation the attacker could just pound on it on their computer until they guess the password.

@taglia as @stevelw suggests, the encryption password is completely separate from this issue. That is one more hurdle a bad actor must jump through in order to get your vault data, however they have a lot of useful data before that point.

Here is all the data I can think of that one can see about you from looking at your Obsidian Account on the website or by signing in on the Desktop app.


Stage 0

No Knowledge Of You


< Required to pass to Stage 1: Email; Password; [Suggestion: 2FA] >


Stage 1

Access to Your Obsidian Account Online.

This gives knowledge of your:

  • Email
  • Full Name
  • Last 4 digits of your payment details
  • Which licenses you have purchased
  • All of your remote vaults

And gives the ability to:

  • Delete your account
  • Change your password
  • Change your email
  • Sign into your account on another device and use your licenses.
  • Edit your Obsidian Published sites (? Needs verified. I believe it would allow you to replace an existing site with a new one)
  • Download your remote repositories. Even without knowing the encryption key, the bad actor now gains the ability to brute force your vault by continually guessing different passwords until they get it right, if they have a powerful computer(s). Depending on your encryption password this could take somewhere between days or decades to guess. Though technology is always improving, and this attack surface should still be protected.

No notification is given when someone logs into your account from a new computer/ip (that I have seen) so the exposed user would be unaware of the issue unless the bad actor did something to reveal themselves.


< Required to pass to Stage 2: Encryption Key(s) >


Stage 2

Access to all the data in your vault(s) :exclamation:

3 Likes

No 2FA option for a sync account is really the only thing stopping me from using Obsidian more and purchasing multiple accounts for my colleagues. I’d really like to adopt the tool more broadly, so +10000 to this feature. Doesn’t have to be fancy, but would prefer the option for app-based 2FA (like google authenticator) rather than SMS based 2FA (although you usually get one if you get the other).

2 Likes

If this wasn’t clear from the previous replies I want to reiterate that the

  1. Login credentials are separate from the password you use for end to end encryption.
  2. Two factor authentication would be an extra layer for login part.

This is (minor) misunderstanding:
The knowledge of login credentials DO NOT enable you to download the encrypted version of your vault, you still need your remote vault password for that.

2 Likes

The knowledge of login credentials DO NOT enable you to download the encrypted version of your vault, you still need your remote vault password for that.

This is new information, thanks for sharing. However… are you saying the password is sent over the web to Obsidian HQ, where it is then checked against your Vault? (And if all good then it allows the Vault to be downloaded, otherwise it does not) That has it’s own security concerns :100: :scream:

Even ignoring those, I hope you can see that removing the whole “Downloading your encrypted vault” point is but one of many I give in this post. Two Factor Authentication is necessary for proper protection of a user’s data and their account.

And as @chrissanders requested having 2FA for the Encryption (optionally) would be an added bonus, as then us users would retain the only access possible to the data, and Obsidian themselves would have none (and thus more security is achieved).

A hash of the salted password is sent for additional verification along with the login token.

I am not dismissing this FR. I have just replied because in this thread I see confusion between login credentials and e2e encryption.

+1, great idea, totally in line with Obsidian’s audience and brand. 2FA the account login, yes please.

2 Likes

+1, definitely. 2FA is essential these days. One of the reasons I’m hesitant to use Sync is the lack of this level of security.

2 Likes