+1 from yet another highly engaged user. Just for general safety of private data.
1 Like
+1
MFA is essential nowadays.
2 Likes
Really need 2 factor auth. Itās necessary for security.
2 Likes
Iād like to add another emphasis/data point re: a technical/security-aware user being mildly shocked not to see a TOTP-or-better 2FA option after creating my Obsidian service account with intent to try out Sync.
Prioritization is incredibly difficult (Iām an OSS dev with millions of downloads, so I feel that pain very deeply!) but as stated upthread, vanilla TOTP-based 2FA is a well-understood, typically easy-to-implement solution available on nearly every programming runtime under the sun. And itās offered by increasingly many cloud services large and small.
Lacking 2FA (and for that matter, not even having it on the Trello board - tho yes, I hate punishing whatās otherwise blessed transparency!) says negative things to security-conscious potential users about the Dynalist/Obsidian teamās high level priorities, and will also sow doubt (unearned or not) about their collective security competence.
In other words, a lot of folks will start out where @dee-kryvenko did, and not come back to do another round of digging (like he did, and like I just did) to go āwellā¦the vault itself is E2E encrypted with AES-256, maybe I donāt mind as much about threats to the rest of my accountā¦especially if other sync platforms are being flakyā.
3 Likes
+1
Almost Becoming a mandatory feature in 2022 2023 
1 Like
+1 was just about to pull the trigger on a year of obsidian sync, then realised there is no MFA 
+1 for this. Hopefully right away with FIDO2 and any silly SMS things etc.
Going to toss in my +1 into this conversation. Iām not going to use Obsidian Sync until thereās an MFA option available. Itās a fundamental security measure and Iām surprised this isnāt available yet.
Please consider prioritising this feature.
I agree that it would be useful. But to be clear, you are requesting that there be 2 factor authentication in addition to the encryption key that you set when saving a vault with Obsidian Sync, right?
1 Like
Yes.
Encryption-at-rest is an excellent way to prevent unauthorized parties from being able to intercept information stored in the database (even if they were to somehow be able to access the database), but it isnāt effective in the event of an unauthorized party accessing your account through social engineering, brute forcing password, or password spraying a cracked password from a different site.
I donāt know how Obsidian works against unauthorized parties being able to access accounts, but Iāve been able to access my account across different devices without any sort of protection mechanism (I.e. we have an unrecognized device accessing your account, please confirm this is you), and this is an important protection mechanism Iād expect especially if I have some confidential notes. If I store my notes only on my local device, sure thatās fine but if Iām expecting my notes to be backed up against a server I want to make sure these notes can only be accessed by me and me alone.
In essence, end-to-encryption is a great thing to have but 2FA is necessary to prevent unauthorized access in the event of an account compromise.
1 Like
@mirbs Even if your account was compromised, it would be impossible for someone to access your vault via Obsidian Sync without the encryption key. This can be an extremely long passcode that only you know. That being said, I would still appreciate having to authenticate using 2fa after typing in my encryption key. Or possibly, an email when the vault is accessed would be nice.
1 Like
I understand that the encryption key is needed to unlock the vault, but itās still as vulnerable as a password in that if its value is known (through social engineering / shoulder surfing / keylogging / etc.) an unauthorized party can access it. I think having 2FA after supplying the encryption key would be a great protection mechanism. And I like the idea of an email being sent when the vault is accessed.
2 Likes
Read one of my posts above where the distinct between authentication credentials (where 2fa can be added) and e2e encryption password (where it canāt).
Iāve been reading through the previous posts to catch up on the discussion for this feature request. There absolutely is a distinction between the authentication credentials and the encryption password.
Without knowing the schematics, Iād estimate the encryption key is never stored anywhere and is only used to encrypt / decrypt contents while the account password is hashed and stored with the user data.
MFA makes the most sense to apply at the authentication level, only allowing access to an account after the user has successfully provided multiple factors of authentication. The additional factor is something that changes for each authentication request, so even if a password is compromised it prevents an unauthorized user access unless they complete an additional factor. MFA could be applied at the vault access level but likely unnecessary since the user has already completed MFA to access their account.
I do think sending an email when a vault is accessed could be a useful security feature, as it is a way to let the user know their vaultās been accessed in the event their vault encryption key has been compromised. Itās a separate concern from MFA altogether, but I think it could be a valuable feature.
1 Like
Also +1 here. MFA with TOTP at minimum, ideally with support for U2F/FIDO security keys and/or passkeys would be great. Account security for something like this is paramount. I would like to require the use of my Yubikey for this account.
1 Like
Anno 2023, its a sign of immaturity when a company does not support 2FA out of the box. While encryption is supported; the lack of 2FA is riskful. When sharing medical details or finance information in your notes, - as I have to for my research papers, - I need to rely on a system that is secure.
Obsidian, unlike Evernote, checks all boxes. But the lack of 2FA is a big no-go.
1 Like
Update: as for now, Iād recommend to use a password for 70/+ characters which āfeelsā more secure.
e.g. ā[email protected]!7wF8L8vREiā
Thereās no point in making a password this long. Stick to 20