Feature Request: Two Factor Auth #85
Comments
|
Thanks for the feedback! |
|
I would like to suggest that you look into allowing wire itself to be used as a 2fa method for other services. So, for example, a user could authenticate with Twitter by having the code sent to their wire account. |
|
Please add Email 2FA. |
|
Please enable xmpp 2fa |
|
U2f support would be awesome |
|
Is two-factor authentication still being looked at? It's the only thing missing from Wire to bring it above the competition. |
|
I'm not quite sure how you can claim to be "The most secure collaboration platform" with no 2fa/mfa. |
|
Waiting for U2F support just like others. |
|
Greetings all, I understand that one of the reasons Wire has so far not implemented traditional MFA is the difficulty in providing compatibility with the web-based, always accessible model of the messenger. I wanted to highlight something a messaging platform with similar constraints has done instead, which I think could be very well adapted to Wire: |
|
I love the idea of lockdown but I think there is a very obvious solution to 2fa that should be very easy to implement on the web version. U2f hardware tokens. |
|
https://developers.yubico.com/U2F/Libraries/Using_a_library.html Links here for libraries and code examples for implementation that would get someone started. |
|
Looks like electron implementation will be more of a problem. electron/electron#3226 I’d be happy to lose the ability to use the electron app if I gained u2f/ fido2 |
|
just to follow up - looks like electron has fixed this issue though the commenters seem unsure of how it will persist in the future. With this now working on electron - I would personally consider this the most important feature missing ... how the application has gone this long without 2fa is difficult to fathom. @raphaelrobert any updates on this front? Please, please share with us some details. if there are underlying caveats .. I would love a blog post explaining some of those, possible solutions, etc. |
|
Wire Pro accounts can now have 2FA through single sign-on (SSO), Wire Personal accounts are unchanged for now. |
|
I'm hoping a paid personal account is considered in the future. |
|
This is literally the feature stopping me from trusting/using Wire. |
|
Are there any updates? @marcoconti83 @wireswiss |
|
This is stopping me currently from recommending Wire to a bunch of organisations. |
|
Hi everyone, |
|
Hi @marcoconti83, we're trialing Wire Pro, but don't see any option to set up SSO (I assume SAML?) to test with MFA. How is this done? |
|
Hi @x30n , |
|
is there any viability to incorporate the newly supported by w3c Webauthn ? I assume a lot of the work on Wire's side for SAML is already completed so changing gears to webauthn might be out of the question. Is there any benefit of SAML over webauthn ? |
|
Thanks for the follow up @marcoconti83. I did get in-touch with support, but unfortunately they said SSO is currently only available for "Enterprises" (>500 users), not just paid Pro accounts... Glad to hear it's coming to a wider audience at some point - so that security conscious orgs can use MFA (FWIW - Phishing is probably a higher priority in most threat models than the malicious or compromised server threats that e2e addresses). Tangentially - IMHO it's really bad practice to restrict access to security features to premium tiers, for any product, but especially one that is attempting to distinguish itself from the competition with security*. </$0.02> *Understood that this may not be happening here - I suspect MFA was an overlooked feature in your initial design and SSO, which mostly only makes sense for organizations, is a hack to enable it without rearchitecting. Still, it can leave a bad taste if it appears that security features are being held hostage, even if not true. 🙂 |
Sounds great. Do you have any news about ETA, please? |
I'm glad to learn that this is the Wire position. Not having 2FA/MFA available as the most basic premise of the Wire Platform has really caused a great number of gremlins to run around in my mind with regard to the integrity of the system. Given the nature of cloud systems, and the natural progression of a platform positioned as Wire towards enterprise infrastructure / universal application systems integration, it is critical that this is addressed as you are doing, and that the feature provisioning messaging to developers, engineers, enterprise architects, and other interested parties is loud and clear. |
|
@raphaelrobert Is Mfa coming any time soon? It is really crucial to online security of all users |
|
@v3EtBhYE if in 2 years Wire team didn't add this feature, they have proven to have little regards when it comes to security. |
|
Hello, |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
Any updates? |
|
@lucagoetheil Lol, no updates other than the Wire team trying to hide criticism by marking it off-topic it seems. (presumably this will also be marked off-topic or removed without comment from @wireswiss) |
|
Any updates on this? |
|
Migrate to Signal 😉 |
I was thinking the same lool |
|
Exactly. |
No matter the feature, privacy, or encryption comparison, I wouldn‘t see this as the reason for migration, or even a solution. Calling Signal’s Registration lock a shining example of 2FA is definitely not a case. Yes, Wire should add 2FA. |
When a extremely important feature is ignored by the Wire team since 2017, it shows how serious they take security. Signal doesn't even have MFA because it doesn't need it by design, uses your phone number and a pin you define. |
|
@Ralms
I also think that using a phone number as part of the authentication is not a good reason to use any platform. SMS is not a secure channel at all. Enthuse other users to use a different solution in the repo of Wire (or any other software) is not a clever, nor gentle thing to do. |
|
Comparing Signal and Wire is not a fair comparison imo, they serve different but related purposes. Wire and Slack are more aligned on intended usage and functionality, and that's where security shortcomings are readily apparent. That said, it's still a huge faux pas not having 2FA after 3 years of being alerted to it, and for a high value target like a communications app, serious false advertising calling it "the most secure". |
You might be confusing Telegram with Signal. Signal and Slack have 0 in common. |
Ah, brain fart. I meant to type Wire and Slack, not Signal and slack. I've fixed it now. |
Well, on the other hand, I don't want to connect my phone number with my Wire account, so I actually like the fact, that it does not require my phone number to work, including not forcing 2FA via phone. So how do we envision 2FA exactly, without phone number? That is an interesting question. Would you say a second e-mail account is sufficient? |
|
@ZelphirKaltstahl SMS based 2FA is considered insecure, and authy apps are the current defacto standard, iirc. Authy apps do not require a phone, let alone a phone number. |
|
Honestly, I didn't recommended Signal because of SMS 2FA or whatever, but because devs care more about security than Wire does. |
|
It's been nearly four years and still no 2FA? |
|
Honestly just switch to Signal. |
Again, @KaKi87, how does this relate to Wire development? Use your Signal, stop being repetitive here, and may become happy :) |
|
I wouldn't be saying that if Wire devs were listening to our requests. |
|
It is said that they don’t reply, yes. But promoting other software is not helping anyhow; it is not a solution, nor a request. It’s only spamming many people with notifications about off-topic. |
|
Yes, it is helping people using better software. |
|
I am using both every day and I can’t say one’s better. I am missing 2FA in Wire as well as in Signal, also many features in both. To top of that, it’s hell to change the number with Signal. Try to move to a different country with it. 😭 I am leaving this off-topic, have a lovely day. |
Signal doesn't need 2FA, your phone number and the pin you set is a 2FA by itself. |
I will be happy if we can continue in an appropriate discussion for that and you can guide me on how to do it: signalapp/Signal-iOS#967 |
|
If there are people here who are planning to attend https://zfoh.ch/zurihac2021/, last year I made a start on This year I'm planning to finish up the library and add support to https://github.com/wireapp/wire-server . Having this supported in the backend is a small step; but at least it's a step. Hopefully we can then use that legwork to implement this into the client someday :) If you're attending Zurihac and want to help out. That would be greatly appreciated! I added some notes for myself in this repo last year with useful reading resources: https://github.com/wireapp/fido2-hackathon |
|
Any update on adding 2FA to Wire? |
|
seems unlikely to be prioritised anytime soon considering most of the customers are large enterprises now and they all have 2FA via their SSO providers |
Simply move to Signal. |
and others
I'm currently testing out Wire. One thing that immediately stood out to me is the lack of two factor auth across the whole platform. To me, this is a critical feature of a security minded service of any kind.
Off the top of my head, the following things would be a great start if they were able to be enabled independently of each other:
The text was updated successfully, but these errors were encountered: