Two Factor Authentication

Increasingawareness · 2021-08-24T02:07:11.913Z

This is currently the thing stopping me from using Obsidian. The service looks amazing! I advocate for security key support as SMS and app based is legacy at this point. Webauthn is definitely best, but I would be happy with app based too.

Itsa_Robbery_Esq · 2021-08-24T04:42:01.268Z

I have to vote +1 for this also; 2fa is an important feature for sync.

Those of us that use Obsidian for business and deal with sensitive information where there is either (1) a legal duty to protect that information; (2) an above average risk that bad actors will seek to gain access to the data; or (3) both— having as many practical security options possible is one of the most, if not the most, important considerations in selecting a product to trust.
And I think those who choose Obsidian’s sync service are security conscious and would overwhelmingly make use of the capability to add more protection.

strawberryfield · 2021-08-25T20:47:35.599Z

I just paid for Sync and was very surprised not to see TfA available when registering an account. It is a basic security requirement these days. So big upvote for this feature request.

taglia · 2021-09-10T03:00:07.549Z

I really like Obsidian’s philosophy, and I would love to enable sync. I would probably subscribe to the service anyway to support the team, but I think supporting MFA is essential (with multiple Security Keys as the OP recommends).

Surprisingly, the feature is already available here on the forum (I have 2 YubiKeys registered) but not on the main service. The forum platform probably supports this out of the box, but the lack of strong encryption can prevent many of us from using Obsidian for anything serious.

stevelw · 2021-09-10T08:30:31.829Z

Just to be pedantic, 2FA is authentication not encryption.

taglia · 2021-09-11T03:22:18.153Z

Apologies for not being clear. @stevelw you are right: my dream setup would be to have my data encrypted using a hardware key (ideally a set of interchangeable keys, to be protected in case one is lost or damaged). This would be relevant for the remote files, the local files are fine as they are. I would also love to see a paper describing the encryption techniques used.

That being said, I doubt most people will care much about this, and to be honest, there are other places to store highly confidential data.

MFA would be a good addition in any case.

taglia · 2021-09-11T05:47:19.453Z

Quick update: I ended up subscribing to the sync plugin because of the 1-year history on notes, but mostly to support the team.

There is a separate encryption password, so the encryption is not linked to the login password (which was my worry). This is definitely good enough for me; I use a completely random 100-character string stored securely.

I don’t think MFA on the Obsidian account would add much security; even if someone managed to get my credentials, they could only see the list of my vaults but not access the content.

stevelw · 2021-09-11T06:30:08.264Z

taglia:

There is a separate encryption password, so the encryption is not linked to the login password (which was my worry). This is definitely good enough for me; I use a completely random 100-character string stored securely.

I don’t think MFA on the Obsidian account would add much security; even if someone managed to get my credentials, they could only see the list of my vaults but not access the content.

It’s not an issue using the same password for authentication and encryption, if it’s implemented correctly — see LastPass’ encryption for example. This means you don’t need to keep track of two things.

The benefit of MFA is usually to prevent an offline attack. I’ve not used Sync myself — but assuming they’re not doing the encryption on their servers (bad) in this situation the attacker could just pound on it on their computer until they guess the password.

JordanMO · 2021-09-11T07:31:40.004Z

@taglia as @stevelw suggests, the encryption password is completely separate from this issue. That is one more hurdle a bad actor must jump through in order to get your vault data, however they have a lot of useful data before that point.

Here is all the data I can think of that one can see about you from looking at your Obsidian Account on the website or by signing in on the Desktop app.

Stage 0

No Knowledge Of You

< Required to pass to Stage 1: Email; Password; [Suggestion: 2FA] >

Stage 1

Access to Your Obsidian Account Online.

This gives knowledge of your:

Email
Full Name
Last 4 digits of your payment details
Which licenses you have purchased
All of your remote vaults

And gives the ability to:

Delete your account
Change your password
Change your email
Sign into your account on another device and use your licenses.
Edit your Obsidian Published sites (? Needs verified. I believe it would allow you to replace an existing site with a new one)
Download your remote repositories. Even without knowing the encryption key, the bad actor now gains the ability to brute force your vault by continually guessing different passwords until they get it right, if they have a powerful computer(s). Depending on your encryption password this could take somewhere between days or decades to guess. Though technology is always improving, and this attack surface should still be protected.

No notification is given when someone logs into your account from a new computer/ip (that I have seen) so the exposed user would be unaware of the issue unless the bad actor did something to reveal themselves.

< Required to pass to Stage 2: Encryption Key(s) >

Stage 2

Access to all the data in your vault(s)

chrissanders · 2021-09-16T17:18:39.902Z

No 2FA option for a sync account is really the only thing stopping me from using Obsidian more and purchasing multiple accounts for my colleagues. I’d really like to adopt the tool more broadly, so +10000 to this feature. Doesn’t have to be fancy, but would prefer the option for app-based 2FA (like google authenticator) rather than SMS based 2FA (although you usually get one if you get the other).

WhiteNoise · 2021-09-16T17:36:35.834Z

If this wasn’t clear from the previous replies I want to reiterate that the

Login credentials are separate from the password you use for end to end encryption.
Two factor authentication would be an extra layer for login part.

This is (minor) misunderstanding:
The knowledge of login credentials DO NOT enable you to download the encrypted version of your vault, you still need your remote vault password for that.

JordanMO · 2021-09-16T17:55:27.657Z

The knowledge of login credentials DO NOT enable you to download the encrypted version of your vault, you still need your remote vault password for that.

This is new information, thanks for sharing. However… are you saying the password is sent over the web to Obsidian HQ, where it is then checked against your Vault? (And if all good then it allows the Vault to be downloaded, otherwise it does not) That has it’s own security concerns

Even ignoring those, I hope you can see that removing the whole “Downloading your encrypted vault” point is but one of many I give in this post. Two Factor Authentication is necessary for proper protection of a user’s data and their account.

And as @chrissanders requested having 2FA for the Encryption (optionally) would be an added bonus, as then us users would retain the only access possible to the data, and Obsidian themselves would have none (and thus more security is achieved).

WhiteNoise · 2021-09-16T20:30:08.170Z

JordanMO:

This is new information, thanks for sharing. However… are you saying the password is sent over the web to Obsidian HQ, where it is then checked against your Vault? (And if all good then it allows the Vault to be downloaded, otherwise it does not) That has it’s own security concerns

A hash of the salted password is sent for additional verification along with the login token.

I am not dismissing this FR. I have just replied because in this thread I see confusion between login credentials and e2e encryption.

mandible · 2021-09-25T12:31:10.083Z

+1, great idea, totally in line with Obsidian’s audience and brand. 2FA the account login, yes please.

quarterdane · 2021-09-25T19:05:07.340Z

+1, definitely. 2FA is essential these days. One of the reasons I’m hesitant to use Sync is the lack of this level of security.

MacSparky · 2021-09-26T20:33:11.206Z

+1 on this.

E2E is one of the great features of Obsidian. 2FA on top would make it even better.

Hellquist · 2021-09-29T06:18:54.820Z

+1 for the reasons mentioned above. I have 2FA on “everything” where I can.

Jarmer · 2021-10-01T13:39:47.030Z

I just wanted to add to this: I absolutely love Obsidian, but I was honestly taken aback when setting up my online/sync account at the lack of 2fa. At first I just thought I couldn’t find it, so I searched around, and indeed: nope. Does not exist.

Please please please add this in as a top priority! Our accounts are extremely vulnerable right now. Single simple pw auth is leaving us all exposed.

dee-kryvenko · 2022-02-03T01:31:05.115Z

If Obsidian actually reads this and cares about revenue - you are leaving money on the table here. Just think about it for a second.

I wish I could just pay $100 and forget about my devices sync for a year, just use your service and not waste time on research to find a DYI alternative. But you don’t have MFA, which makes me think what else did you screwed up? Redundancy? Backups? What exactly do you mean by “end-to-end encryption”? Simple server-side TLS is “end-to-end encryption”? Do all users encrypted with the same key in transit? How about encryption at rest? Do you use MFA for your own infrastructure?

Don’t get me wrong - I don’t try to discount everything you did in the UI and how amazing the app itself is. You are years ahead of competition like Confluence and Evernote, who to this day fail to understand that Markdown is a thing. But desktop and backend programming are very different, and your expertise in one does not tell anything about your expertise in the other. I do not have faith in your competence on the backend at this point, so I want to take care of it myself, so you will not get my money. Surely Google Drive not going to screw up with my data, it has end-to-end encryption as well as encryption at rest, and they do all sorts of MFA starting from the basic TOTP and into the U2F/FIDO2/WebAuthn lands.

Now think, how many others like me are out there but not wasting their time to tell you about it? This is such a low hanging fruit - any reasonable PO should see that and make sure it is done next week. And if you really are just 2 people and 2 cats and don’t have any POs - take my free advice AND JUST DO IT TOMORROW! This is important. This is your face, first impression, this is how you loose potential customers, big enterprise customers - every hour. C’mon, TOTP is 5 lines of code in any language - start with that, fancier MFA methods might come in later.

A hash of the salted password is sent for additional verification along with the login token.

What does it matter if it’s a hash or clear text password if it can be intercepted in transit and then used to decrypt? You basically just confessed that Obsidian have all the means to read the user data, what “end-to-end encryption” is your home page false advertising about? Stop embarrassing yourself.

WhiteNoise · 2022-02-03T02:24:11.531Z

Thank you for your rant.
There’s a short explanation of end to end encryption here: https://help.obsidian.md/Obsidian+Sync/Security+and+privacy

You have a lot of confused thoughts. Sometimes, when there are questions about security, i spend some time clarifying doubts. Unfortunately, this time I am too busy embarrassing myself so I’ll keep doing that.