2fa For Joplin Cloud?

I wonder if it's possible to get 2fa via authenticator as a feature for the Joplin cloud management account? I somehow see sort of a risk here if a mailbox is compromised that the data is automatically at risk as well. Less security affine users might also be vulnerable to credential stuffing. Given the "knowledge" what is stored in notes these are an attractive target for attackers.

1 Like

Yes it's going to be added soon. In the meantime you may want to enable encryption as this secures the notes even if your mailbox or Joplin Cloud password is compromised

5 Likes

If you use a good password, keep your password in a safe place, and check the connection for the correct url and site information when you connect to your cloud management account, your "simple" password (without 2FA) is just fine, will never be compromised, and your data is safe too. If you have doubts about this claim of mine, read up on 2FA on Bruce Schneier's site.

Well sadly no and it’s not enough. Nearly every corporate process demands a second factor of authentication for external services, it's state of the art for a reason. Especially if accounts have admin capability. You cannot assume to be safe to human error or immune to phishing etc., especially not in a multi-user environment with less IT-affine users. Just relaying on a "good" password can get you faster into issues as you might expect. There is also no way to really avoid password re-use in your userbase. If a service does not offer such a feature it’s simply not useable for many commercial users. So it's pretty good to heard that this is going to be added soon. Really looking forward to it.

Further reads: Multi-Factor Authentication | NIST

2 Likes

Just because many people (or organizations) have decided to follow the heard, does not mean they are going down the best route. You have stated your stated your opinion, I have stated mine. All fine with me. But if you are interested in the limitations of 2FA (shouldn't everyone be ?) then read Bruce.

As a note, if / when this is implemented (which would be really great; for example, my workplace too forbids to use online services that do not provide 2FA, so I can only use Joplin privately; also, though I understand not everybody is as convinced, there are good arguments for 2FAs being something positive for security :slight_smile: ), it would be great to consider support of several methods, such as:

  • 2 FAs (as mentioned)
  • recovery codes ("the usual", i.e. providing a list of recovery codes that can be used if the 2 FAs app of the user dies or similar)
  • ideally, some form of FIDO2 would be even better (for example, I like to use my nitrokey 3C with NFC as my hardware token to log on all kinds of websites etc)
1 Like

2FA is better than 1FA. (or a password alone) But nothing is foolproof. And different forms of 2FA are better than other forms of 2FA.

In a sense it is already 2FA because of the two passwords in play. But usually what 2FA refers to is "something you know and something you have". I.e., One factor is tied to a password (something you know) and another factor is tied to something you have (a device, or FIDO USB thingy, etc etc).

Passkeys combine these two things (what you know and have) into an easier workflow.

Anyway. Yes, if you use a good password and you have encryption enabled, you are in a decent place. But adding something additional would be very welcome.

To support MFA, the mobile/desktop client authentication logic has been updated in the 3.0.x pre-releases:

Related changes are also being made to Joplin Cloud.