Wire-webapp: Add Two-factor authentication

Created on 11 Nov 2016  Â·  9Comments  Â·  Source: wireapp/wire-webapp

Hey,
it would be nice, if all Wire Clients Support a Two-factor authentication for the first login (or for the WebApp every login).
There are multiple options possible:

  • Send a SMS with a One-Time-PIN
  • Use a One-Time-Password Protocol like TOTP
  • Support FIDO U2F Hardware Device (Only Chrome Browser)
  • Authorized with another registered device (Like iTunes. Send a Push Message to the other device and ask if the login ok)

This protects against password theft.

Thank you for the great App :-)

feature / request ✨

Most helpful comment

Thanks for the suggestions, two factor authentication and PAKE (SRP or similar) are on the list!

All 9 comments

SMS have been proven insecure. TOTP or similar would be the way to go nowadays.

I would say, try to authenticate new logins using existing devices with a push notification asking for confirmation and use email/sms verification as a backup (not an ideal solution though). This way the user is alerted when someone has their password but is also able to get into their account without any logged in devices.

Off-topic: we should want to use SRP for password authentication, this ensures the server or anyone snooping on the connection can never see the password. (somewhat better than sending hashes because it also authenticates the server to the client)

Thanks for the suggestions, two factor authentication and PAKE (SRP or similar) are on the list!

I will close this issue for now until there are further updates.

Just signed up on Wire and very surprised to discover the lack of 2FA... Is it planned to be added soon? 🙂

I also recently signed up and was very surprised that there was no 2FA. My personal preference would be as follows all components optional and independent:

  • Allow for TOTP
  • Allow for U2F (FIDO)!

    • For adding mobile devices: touch U2F token on PC with Chrome also signed into account?

  • Allow for authenticated devices to authorize new device

I just opened this issue on the main wire page since 2fa is more architectural than specific to the webapp.

In my mind even for the webapp 2FA (best U2F) is very important, This would be a big improvement against phishing, or when using on a public PC.

The best way is like mailbox.org it does, for the applications use the static password and for the webapp use a PIN + U2F device.

Is 2Fa planned to be implemented any time soon? Otherwise it would pose security threat to most users

Was this page helpful?
0 / 5 - 0 ratings