Two Factor Authentication

I really like Obsidian’s philosophy, and I would love to enable sync. I would probably subscribe to the service anyway to support the team, but I think supporting MFA is essential (with multiple Security Keys as the OP recommends).

Surprisingly, the feature is already available here on the forum (I have 2 YubiKeys registered) but not on the main service. The forum platform probably supports this out of the box, but the lack of strong encryption can prevent many of us from using Obsidian for anything serious.

Just to be pedantic, 2FA is authentication not encryption.

Apologies for not being clear. @stevelw you are right: my dream setup would be to have my data encrypted using a hardware key (ideally a set of interchangeable keys, to be protected in case one is lost or damaged). This would be relevant for the remote files, the local files are fine as they are. I would also love to see a paper describing the encryption techniques used.

That being said, I doubt most people will care much about this, and to be honest, there are other places to store highly confidential data.

MFA would be a good addition in any case.

Quick update: I ended up subscribing to the sync plugin because of the 1-year history on notes, but mostly to support the team.

There is a separate encryption password, so the encryption is not linked to the login password (which was my worry). This is definitely good enough for me; I use a completely random 100-character string stored securely.

I don’t think MFA on the Obsidian account would add much security; even if someone managed to get my credentials, they could only see the list of my vaults but not access the content.

It’s not an issue using the same password for authentication and encryption, if it’s implemented correctly — see LastPass’ encryption for example. This means you don’t need to keep track of two things.

The benefit of MFA is usually to prevent an offline attack. I’ve not used Sync myself — but assuming they’re not doing the encryption on their servers (bad) in this situation the attacker could just pound on it on their computer until they guess the password.

@taglia as @stevelw suggests, the encryption password is completely separate from this issue. That is one more hurdle a bad actor must jump through in order to get your vault data, however they have a lot of useful data before that point.

Here is all the data I can think of that one can see about you from looking at your Obsidian Account on the website or by signing in on the Desktop app.


Stage 0

No Knowledge Of You


< Required to pass to Stage 1: Email; Password; [Suggestion: 2FA] >


Stage 1

Access to Your Obsidian Account Online.

This gives knowledge of your:

  • Email
  • Full Name
  • Last 4 digits of your payment details
  • Which licenses you have purchased
  • All of your remote vaults

And gives the ability to:

  • Delete your account
  • Change your password
  • Change your email
  • Sign into your account on another device and use your licenses.
  • Edit your Obsidian Published sites (? Needs verified. I believe it would allow you to replace an existing site with a new one)
  • Download your remote repositories. Even without knowing the encryption key, the bad actor now gains the ability to brute force your vault by continually guessing different passwords until they get it right, if they have a powerful computer(s). Depending on your encryption password this could take somewhere between days or decades to guess. Though technology is always improving, and this attack surface should still be protected.

No notification is given when someone logs into your account from a new computer/ip (that I have seen) so the exposed user would be unaware of the issue unless the bad actor did something to reveal themselves.


< Required to pass to Stage 2: Encryption Key(s) >


Stage 2

Access to all the data in your vault(s) :exclamation:

3 Likes

No 2FA option for a sync account is really the only thing stopping me from using Obsidian more and purchasing multiple accounts for my colleagues. I’d really like to adopt the tool more broadly, so +10000 to this feature. Doesn’t have to be fancy, but would prefer the option for app-based 2FA (like google authenticator) rather than SMS based 2FA (although you usually get one if you get the other).

3 Likes

If this wasn’t clear from the previous replies I want to reiterate that the

  1. Login credentials are separate from the password you use for end to end encryption.
  2. Two factor authentication would be an extra layer for login part.

This is (minor) misunderstanding:
The knowledge of login credentials DO NOT enable you to download the encrypted version of your vault, you still need your remote vault password for that.

4 Likes

The knowledge of login credentials DO NOT enable you to download the encrypted version of your vault, you still need your remote vault password for that.

This is new information, thanks for sharing. However… are you saying the password is sent over the web to Obsidian HQ, where it is then checked against your Vault? (And if all good then it allows the Vault to be downloaded, otherwise it does not) That has it’s own security concerns :100: :scream:

Even ignoring those, I hope you can see that removing the whole “Downloading your encrypted vault” point is but one of many I give in this post. Two Factor Authentication is necessary for proper protection of a user’s data and their account.

And as @chrissanders requested having 2FA for the Encryption (optionally) would be an added bonus, as then us users would retain the only access possible to the data, and Obsidian themselves would have none (and thus more security is achieved).

A hash of the salted password is sent for additional verification along with the login token.

I am not dismissing this FR. I have just replied because in this thread I see confusion between login credentials and e2e encryption.

1 Like

+1, great idea, totally in line with Obsidian’s audience and brand. 2FA the account login, yes please.

3 Likes

+1, definitely. 2FA is essential these days. One of the reasons I’m hesitant to use Sync is the lack of this level of security.

3 Likes

+1 on this.

E2E is one of the great features of Obsidian. 2FA on top would make it even better.

3 Likes

+1 for the reasons mentioned above. I have 2FA on “everything” where I can.

3 Likes

I just wanted to add to this: I absolutely love Obsidian, but I was honestly taken aback when setting up my online/sync account at the lack of 2fa. At first I just thought I couldn’t find it, so I searched around, and indeed: nope. Does not exist.

Please please please add this in as a top priority! Our accounts are extremely vulnerable right now. Single simple pw auth is leaving us all exposed.

3 Likes

If Obsidian actually reads this and cares about revenue - you are leaving money on the table here. Just think about it for a second.

I wish I could just pay $100 and forget about my devices sync for a year, just use your service and not waste time on research to find a DYI alternative. But you don’t have MFA, which makes me think what else did you screwed up? Redundancy? Backups? What exactly do you mean by “end-to-end encryption”? Simple server-side TLS is “end-to-end encryption”? Do all users encrypted with the same key in transit? How about encryption at rest? Do you use MFA for your own infrastructure?

Don’t get me wrong - I don’t try to discount everything you did in the UI and how amazing the app itself is. You are years ahead of competition like Confluence and Evernote, who to this day fail to understand that Markdown is a thing. But desktop and backend programming are very different, and your expertise in one does not tell anything about your expertise in the other. I do not have faith in your competence on the backend at this point, so I want to take care of it myself, so you will not get my money. Surely Google Drive not going to screw up with my data, it has end-to-end encryption as well as encryption at rest, and they do all sorts of MFA starting from the basic TOTP and into the U2F/FIDO2/WebAuthn lands.

Now think, how many others like me are out there but not wasting their time to tell you about it? This is such a low hanging fruit - any reasonable PO should see that and make sure it is done next week. And if you really are just 2 people and 2 cats and don’t have any POs - take my free advice AND JUST DO IT TOMORROW! This is important. This is your face, first impression, this is how you loose potential customers, big enterprise customers - every hour. C’mon, TOTP is 5 lines of code in any language - start with that, fancier MFA methods might come in later.

A hash of the salted password is sent for additional verification along with the login token.

What does it matter if it’s a hash or clear text password if it can be intercepted in transit and then used to decrypt? You basically just confessed that Obsidian have all the means to read the user data, what “end-to-end encryption” is your home page false advertising about? Stop embarrassing yourself.

Thank you for your rant.
There’s a short explanation of end to end encryption here: https://help.obsidian.md/Obsidian+Sync/Security+and+privacy

You have a lot of confused thoughts. Sometimes, when there are questions about security, i spend some time clarifying doubts. Unfortunately, this time I am too busy embarrassing myself so I’ll keep doing that.

4 Likes

You have a lot of confused thoughts. Sometimes, when there are questions about security, i spend some time clarifying doubts. Unfortunately, this time I am too busy embarrassing myself so I’ll keep doing that.

Lol, fair.

Antagonistic suggestions of your incompetence aside, there are people who will indeed not purchase Sync without some type of two factor :wink:

Two factor authentication for user login is one thing. It’s a totally valid request.
However, it has nothing to do with sync or end-to-end encryption.

2 Likes

I am not having any confused thoughts about any of that. I do this stuff for living. The only confusion here is the one introduced by yourself.

Thanks for the link - it explains a lot. Here is a perspective to look at - by reading this thread, and not knowing there is two separate methods of end-to-end encryption you’ve implemented - it is very easy to read it as you transmit encryption passphrase or a hash of it to the server, which defeats it all. Just read the following statements of yours and try to read it as someone without the context you just provided:

The knowledge of login credentials DO NOT enable you to download the encrypted version of your vault, you still need your remote vault password for that.

And

A hash of the salted password is sent for additional verification along with the login token.

Now, after reading Security and privacy - now I understand you were probably talking about managed encryption and not end-to-end encryption. Is that right?

MFA has everything to do with the encryption and I am not confusing MFA with encryption here. You are confusing me with other people who confused it here in previous posts. I simply stated that the lack of MFA gives me a certain impression about your expertise in implementing your backend stuff and raise a lot of red flags, including, but not limited, to your implementation of encryption. This is how the two are related. I provided quotes of you in this thread, where you were discussing encryption, to demonstrate how you add to that lack of confidence, but I was not making any comments on the subject itself or making any direct relation in between MFA and encryption.

And a note about antagonizing. I am not antagonizing anyone. Not being nice is not the same as antagonizing. I don’t have to be nice to you or anyone else. So as you do not have to be nice to me. Here is another perspective to look at - if I were nice to you, I would not be able to give you that perspective. I would not be able to tell you what a typical commercial potential user thinks when they find this thread, because what a typical commercial potential user thinks after reading this thread is not nice. And then you will never learn about that perspective. And then - you would never had opportunity to object to these thoughts and provide a link with explanation of your encryption implementation. Potential user then would leave this thread, this website, and go look for alternatives. So nice, but so pathetic and pointless. Because unfortunately most of the people tend to be nice and not tell you what they truly think, and a-holes like myself are rare and they are usually busy. So as a business owner you may fall into a survivorship bias fallacy. So, I personally find my antagonizing comment 100 times more valuable than a 100 of other nice comments. It so happens that I am interested in your product, and I will greatly benefit if you address my concern and make me able to use it, so I am genuinely trying to help. As an a-hole that doesn’t expect niceness, I do not expect you to thank me, I expect you to implement the damn feature, so I can give you my money.

Meanwhile, I am going to look at the foam plugin for vscode, and who knows, maybe I am never coming back. I have created an account with you yesterday with the intention to subscribe to the Sync, and inability to set up MFA is what stopped me. Here is one more perspective on how a potential Obsidian Sync user leaves literally seconds before giving you money, after they’ve already made a decision to give you money.