You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Feature request for multi factor authentication. Considering this is storing private health data it is important that it be as secure as possible.
Why is this needed?
Ideally MFA would be handled by an external authentication provider such as OIDC or Forward Authentication (preferred). However, in order to develop a zero knowledge model, Fasten would require a user-inputted secret, which neither OIDC and Forward Auth make available.
Hence, the MFA burden falls on the app itself. This is a similar problem to what BitWarden/VaultWarden face with their zero knowledge model.
Implementation
Lots of options out there, but I would personally request support for the following modes:
Duo.com
TOTP
WebAuthn
I specifically request that email and SMS 2nd factor not be supported because of how insecure they are.
When is this needed?
Not now. This is obviously an advanced feature and other core features are higher priority in order to deliver basic functionality.
The text was updated successfully, but these errors were encountered:
What is this
Feature request for multi factor authentication. Considering this is storing private health data it is important that it be as secure as possible.
Why is this needed?
Ideally MFA would be handled by an external authentication provider such as OIDC or Forward Authentication (preferred). However, in order to develop a zero knowledge model, Fasten would require a user-inputted secret, which neither OIDC and Forward Auth make available.
Hence, the MFA burden falls on the app itself. This is a similar problem to what BitWarden/VaultWarden face with their zero knowledge model.
Implementation
Lots of options out there, but I would personally request support for the following modes:
I specifically request that email and SMS 2nd factor not be supported because of how insecure they are.
When is this needed?
Not now. This is obviously an advanced feature and other core features are higher priority in order to deliver basic functionality.
The text was updated successfully, but these errors were encountered: