Two Factor Authentication

+1 on this.

E2E is one of the great features of Obsidian. 2FA on top would make it even better.

3 Likes

+1 for the reasons mentioned above. I have 2FA on “everything” where I can.

3 Likes

I just wanted to add to this: I absolutely love Obsidian, but I was honestly taken aback when setting up my online/sync account at the lack of 2fa. At first I just thought I couldn’t find it, so I searched around, and indeed: nope. Does not exist.

Please please please add this in as a top priority! Our accounts are extremely vulnerable right now. Single simple pw auth is leaving us all exposed.

3 Likes

If Obsidian actually reads this and cares about revenue - you are leaving money on the table here. Just think about it for a second.

I wish I could just pay $100 and forget about my devices sync for a year, just use your service and not waste time on research to find a DYI alternative. But you don’t have MFA, which makes me think what else did you screwed up? Redundancy? Backups? What exactly do you mean by “end-to-end encryption”? Simple server-side TLS is “end-to-end encryption”? Do all users encrypted with the same key in transit? How about encryption at rest? Do you use MFA for your own infrastructure?

Don’t get me wrong - I don’t try to discount everything you did in the UI and how amazing the app itself is. You are years ahead of competition like Confluence and Evernote, who to this day fail to understand that Markdown is a thing. But desktop and backend programming are very different, and your expertise in one does not tell anything about your expertise in the other. I do not have faith in your competence on the backend at this point, so I want to take care of it myself, so you will not get my money. Surely Google Drive not going to screw up with my data, it has end-to-end encryption as well as encryption at rest, and they do all sorts of MFA starting from the basic TOTP and into the U2F/FIDO2/WebAuthn lands.

Now think, how many others like me are out there but not wasting their time to tell you about it? This is such a low hanging fruit - any reasonable PO should see that and make sure it is done next week. And if you really are just 2 people and 2 cats and don’t have any POs - take my free advice AND JUST DO IT TOMORROW! This is important. This is your face, first impression, this is how you loose potential customers, big enterprise customers - every hour. C’mon, TOTP is 5 lines of code in any language - start with that, fancier MFA methods might come in later.

A hash of the salted password is sent for additional verification along with the login token.

What does it matter if it’s a hash or clear text password if it can be intercepted in transit and then used to decrypt? You basically just confessed that Obsidian have all the means to read the user data, what “end-to-end encryption” is your home page false advertising about? Stop embarrassing yourself.

Thank you for your rant.
There’s a short explanation of end to end encryption here: https://help.obsidian.md/Obsidian+Sync/Security+and+privacy

You have a lot of confused thoughts. Sometimes, when there are questions about security, i spend some time clarifying doubts. Unfortunately, this time I am too busy embarrassing myself so I’ll keep doing that.

4 Likes

You have a lot of confused thoughts. Sometimes, when there are questions about security, i spend some time clarifying doubts. Unfortunately, this time I am too busy embarrassing myself so I’ll keep doing that.

Lol, fair.

Antagonistic suggestions of your incompetence aside, there are people who will indeed not purchase Sync without some type of two factor :wink:

Two factor authentication for user login is one thing. It’s a totally valid request.
However, it has nothing to do with sync or end-to-end encryption.

2 Likes

I am not having any confused thoughts about any of that. I do this stuff for living. The only confusion here is the one introduced by yourself.

Thanks for the link - it explains a lot. Here is a perspective to look at - by reading this thread, and not knowing there is two separate methods of end-to-end encryption you’ve implemented - it is very easy to read it as you transmit encryption passphrase or a hash of it to the server, which defeats it all. Just read the following statements of yours and try to read it as someone without the context you just provided:

The knowledge of login credentials DO NOT enable you to download the encrypted version of your vault, you still need your remote vault password for that.

And

A hash of the salted password is sent for additional verification along with the login token.

Now, after reading Security and privacy - now I understand you were probably talking about managed encryption and not end-to-end encryption. Is that right?

MFA has everything to do with the encryption and I am not confusing MFA with encryption here. You are confusing me with other people who confused it here in previous posts. I simply stated that the lack of MFA gives me a certain impression about your expertise in implementing your backend stuff and raise a lot of red flags, including, but not limited, to your implementation of encryption. This is how the two are related. I provided quotes of you in this thread, where you were discussing encryption, to demonstrate how you add to that lack of confidence, but I was not making any comments on the subject itself or making any direct relation in between MFA and encryption.

And a note about antagonizing. I am not antagonizing anyone. Not being nice is not the same as antagonizing. I don’t have to be nice to you or anyone else. So as you do not have to be nice to me. Here is another perspective to look at - if I were nice to you, I would not be able to give you that perspective. I would not be able to tell you what a typical commercial potential user thinks when they find this thread, because what a typical commercial potential user thinks after reading this thread is not nice. And then you will never learn about that perspective. And then - you would never had opportunity to object to these thoughts and provide a link with explanation of your encryption implementation. Potential user then would leave this thread, this website, and go look for alternatives. So nice, but so pathetic and pointless. Because unfortunately most of the people tend to be nice and not tell you what they truly think, and a-holes like myself are rare and they are usually busy. So as a business owner you may fall into a survivorship bias fallacy. So, I personally find my antagonizing comment 100 times more valuable than a 100 of other nice comments. It so happens that I am interested in your product, and I will greatly benefit if you address my concern and make me able to use it, so I am genuinely trying to help. As an a-hole that doesn’t expect niceness, I do not expect you to thank me, I expect you to implement the damn feature, so I can give you my money.

Meanwhile, I am going to look at the foam plugin for vscode, and who knows, maybe I am never coming back. I have created an account with you yesterday with the intention to subscribe to the Sync, and inability to set up MFA is what stopped me. Here is one more perspective on how a potential Obsidian Sync user leaves literally seconds before giving you money, after they’ve already made a decision to give you money.

Folks, please review the community guidelines.

If you are posting in support of this feature request, stick to providing context about why this feature is valuable to you, providing a use case, etc.

A reminder:
This feature request is valid (otherwise we would have merged it with another one, or moved it to a different category). It is therefore in consideration for future development… alongside the other almost-3,000 feature requests currently being discussed on here, the plans the developers themselves have for the app, and the mercurial and mysterious plans of the Obsidian cats, Sandy and Blaze.

A great many feature requests are valuable. A vast number are easy. However, design and coding time is not infinite, bugs actually might be infinite, and so the features we want are not always developed as quickly as we hope.

In software, as in life, patience is a virtue.

5 Likes

To clarify what I meant: Sync does not seem to have a direct connection to Two Factor, but in my view it does. The mere fact that one requires an Obsidian account in order to use Sync shows the connection simply. One must sign in with their username/password in order to access their Sync’d Vaults on another device - I would like to require Two Factor there on my account :smile:

And yes I am aware that you require the Encryption password in order to download the Vault, as has been stated in this thread before (except in the admittedly unlikely scenario that one does not use an encryption password :thinking:). However, it is simply a second password. Which is better than nothing, sure! But at the end of the day suffers from the same security issues that a normal password do: it can be stolen or phished from you and you may be none the wiser that it is known to others. Whereas even simple Two Factor is an ever changing number (so it cannot be permanently Phished), and Physical Tokens require that the hacker actually have access to something you can keep on your keychain. This is much more secure than simple passwords.

So yes, I maintain my statement: There are people who will indeed not purchase Sync without some type of two factor.

I was wrong. I spent some time looking and there isn’t quite anything like Obsidian currently on the market. So I did return, I purchased a commercial license, and after testing it with Google Drive and seeing merge conflicts and sometimes partial loss of data - I purchased a Sync upgrade.

That is, however, a compliment to the frontend and not the backend. The fact that there isn’t seems to be anything better out there does not excuse any deficiencies in your product. I must stress it out once again that the link to Security and privacy from @WhiteNoise is what changed my mind, and it took a bit of effort and research and looking in the team and their past accomplishments. This was not a positive first impression and most of the potential users will not go beyond negative first impression wasting time on additional research. Especially not after being sent out to read the community guidelines in response to a suggestion. Almost feels like I am on someones YouTube channel or OSS forum where I owe it to someone for the opportunity to be here and not the other way around i.e. a commercial product team interested to convert a potential customer to a paying customer.

There isn’t any excuse not to have MFA in 2022, period - that should have been there prior to the product launch. Especially that it doesn’t take that much effort to implement.

And to expand on @JordanMO point - in MFA key word is factor. Two passwords is a duplication of one factor, even if they are used differently under the hood. Second factor to be considered such must substantially differ in terms of a potential attack vector, i.e. if both passwords can be stolen, phished or keylogged - a popular 2FA choice such as TOTP via Authenticator app would require physical possession of the device or theft of the HMAC secret material that cannot be keylogged or phished because it usually never transmit for normal operation.

yep. I’m no security guru but 2fa seems helpful me. I use sync and am worried about my password being exposed somehow, e.g. breach of my pwd mgr or via keylogger. I know my local files can be read on my machine but still, a hacker w/ access to my machine might not think those files look interesting where as someone w/ the password might try the remote server/sync’d file access.

Until/if Obsidian offers 2FA, generate a long random string for your pass phrase and store it in a password manager with 2FA. That’s almost as good and you’ll be fine.

1 Like

A long random password is a good step, but it is not even close to “almost as good” as Password + 2FA :no_entry_sign: :no_good_man:

Passwords can be leaked or phished, and you may have no idea they are known. 2FA constantly changes, and is much harder for a bad actor to get a hold of (especially a physical key).

1 Like

Re-read my post. Don’t just use a random phrase. Manage it in a secure, 2FA managed vault. I agree native 2FA is better, but the hysteria in this thread isn’t warranted. The best you can do at this point is what I described. If your 2FA-secured passphrase vault is compromised, you have bigger issues than Obsidian not providing 2FA. Also note what is being secured here - sync protocol of contents that already exist on your device.

3 Likes

I’d be interested in this 2FA for user login as well, especially using hardware keys.

Thanks for the valuable technical info so far in this thread, is a great read.

4 Likes

I checked the forum and roadmap but couldn’t find an entry, apologies if this is a duplicate.

Is there any plan of implementing TOTP based 2fa? The encrypted sync is great, but leaves room for brute-force against an account without 2fa in place as well.

5 Likes

+1

Almost becoming a mandatory feature in 2022

3 Likes

I was just turned to this program after coming from Joplin and I love it.
I was extremely shocked to see such a polished looking program, lack 2FA, U2F or certificates.

Would love to see this implemented and would be the icing on the cake.

1 Like

Seconded. MFA is an absolute necessity for those who use Sync.