Hey,
it would be nice, if all Wire Clients Support a Two-factor authentication for the first login (or for the WebApp every login).
There are multiple options possible:
This protects against password theft.
Thank you for the great App :-)
SMS have been proven insecure. TOTP or similar would be the way to go nowadays.
I would say, try to authenticate new logins using existing devices with a push notification asking for confirmation and use email/sms verification as a backup (not an ideal solution though). This way the user is alerted when someone has their password but is also able to get into their account without any logged in devices.
Off-topic: we should want to use SRP for password authentication, this ensures the server or anyone snooping on the connection can never see the password. (somewhat better than sending hashes because it also authenticates the server to the client)
Thanks for the suggestions, two factor authentication and PAKE (SRP or similar) are on the list!
I will close this issue for now until there are further updates.
Just signed up on Wire and very surprised to discover the lack of 2FA... Is it planned to be added soon? 🙂
I also recently signed up and was very surprised that there was no 2FA. My personal preference would be as follows all components optional and independent:
I just opened this issue on the main wire page since 2fa is more architectural than specific to the webapp.
In my mind even for the webapp 2FA (best U2F) is very important, This would be a big improvement against phishing, or when using on a public PC.
The best way is like mailbox.org it does, for the applications use the static password and for the webapp use a PIN + U2F device.
Is 2Fa planned to be implemented any time soon? Otherwise it would pose security threat to most users
Most helpful comment
Thanks for the suggestions, two factor authentication and PAKE (SRP or similar) are on the list!