Comments (19)
Hello ! I'm using Supabase since some months and I love it !
I'm dealing with crypto and exchanges API on my website, so naturally some of my users asked for a 2FA and by searching how to do it I found this issue, so I'm here to confirmed the need of a 2FA for supabase sign in ✅
I thought about doing my own TOTP system but it cannot be secure enough since Supabase will always give the accessToken with a proper email and a password given to it.
If there is a leak of password for one of my user, a guy can always use supabase.signIn
directly into the console of my website and have the acessToken, so a custom TOTP asking process will always be not secure enough, it needs to be implemented by supabase directly to be 100% secure.
That's all, thank you for the great work 👋
from gotrue.
Hey everyone, @J0 is working on this feature in gotrue and you guys can check out the gotrue/mfa_v1
branch for the implementation details. We have also opened up an early-sign up list if you are using Supabase and looking to try out MFA in a project.
from gotrue.
We're working on it! Out of curiosity, which aspect of MFA are you hoping to integrate(e.g. TOTP authenticator, SMS, email)?
Can't say much but there'll be updates on the feature before our next launch so keep your eyes peeled for then... 👀
from gotrue.
I hope for TOTP authenticator, because that more independent so that more secure and doesn't need to waiting message to be received.
from gotrue.
any ETA? :D
from gotrue.
Hey team,
Going to close this issue since TOTP MFA has landed in prod. If anyone has issues please feel free to reach out.
Thanks!
from gotrue.
Any plans to support WebAuthm?
from gotrue.
I'm moving this to our GoTrue fork - let's see if we can do this during Hacktoberfest 🚢
from gotrue.
Tracking this with the Netlify team - we will see if we can add this and merge it into their server.
We're in the process of catching up our UI to GoTrue's full API potential, so this will likely be a task for next month's release.
from gotrue.
Just came here from the blog post and wanted to voice my support specifically for TOTP and especially WebAuthn.
A long term stretch of being able to fire off a push notification would be awesome too, but I don't think it's as easy or reasonable to implement.
Okta has a pretty nice breakdown of the various MFA security options available today: https://help.okta.com/en-us/Content/Topics/Security/mfa/about-mfa.htm
from gotrue.
hi @tomekit, it's on the roadmap but we don't have a timeline for this yet as we are prioritising other features such as webhooks / anonymous logins over U2F right now
from gotrue.
I love supabase too, the only reason i`m not using it for my current project is because the lack of MFA. Any ETA?
from gotrue.
When your users use a Social Provider (e.g. Login with Google) to access your services via Supabase, shouldn't MFA work (on the Social Provider side), if the Social Provider supports it? E.g. when we talk about Google as Social Provider, you'd enable MFA in the Cloud Console (https://cloud.google.com/identity-platform/docs/web/mfa)
from gotrue.
@RichiCoder1 We've noted your feedback -- the table in the link you've provided gives quite a nice comparison so thanks for that!
from gotrue.
Hey @steffenstolze yup you are right, if you have MFA enabled on the Social Provider and you are logging in with your social provider then you will have to use MFA.
However, this wouldn't cover all cases(e.g. email/password) which may be needed for compliance purposes or general security reasons
from gotrue.
@J0 Absolutely! A complete solution that covers all use cases would be the best, of course 👌🏻
from gotrue.
Is the 2FA feature ready yet? I am building a system that needs 2FA and was wondering if the GoTrue API has this feature or should I use something else like ORY/Kratos?
from gotrue.
For Webauthn MFA and Passkey support please follow #92
from gotrue.
Since initial feature request mentioned U2F, just a question, is it going to be implemented?
from gotrue.
Related Issues (20)
- Removing GOTRUE_JWT_DEFAULT_GROUP_NAME results in: role "" does not exist HOT 2
- `signUp` leaking existing user role HOT 1
- Internally inviteUserByEmail is not reading .data.custom_value when sending invitation email. HOT 1
- Using @supabase/ssr leads to endpoint issues HOT 1
- how to solve it? HOT 1
- OAuth redirecting to supabase dashboard HOT 2
- Cross-Origin Refreshing of `provider_token` is not allowed under OAuth HOT 3
- AuthApiError: Error sending confirmation mail HOT 3
- Account linking queries do a sequential scan on the users/identities table by default in managed Supabase HOT 3
- Users table index on recovery_token is not being used in queries HOT 1
- Apple Sign On: [AuthApiError: Bad ID token]
- Apple Sign On: [AuthApiError: Bad ID token] HOT 48
- Supabase auth for case sensitive emails HOT 3
- Auth hooks updates signed access_token, but not REST response. HOT 10
- `token_revoked` with large-ish `raw_app_meta_data` HOT 7
- Github Access Token Invalid HOT 1
- RedirectTo Recovery Path Stripped When Using Localhost HOT 2
- Only the information requested by the scope is not imported. and not response phone_number data HOT 9
- Index for refresh_tokens on deletion by user_id not used properly HOT 2
- Using PKCE flow forces you to use your provider client secret when refreshing the provider token HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gotrue.