Feature Request: Two Factor Authentication / 2FA on Accounts

Hi,

I would like to request that two-factor authentication (2FA) be implemented on the Netlify platform. To be specific, I’d like to request time-based one-time passwords (TOTP) through an application like Google Authenticator as well as U2F hardware tokens such as YubiKey and similar. 2FA through SMS is no longer considered a secure form of 2FA.

Netlify has control of some seriously important things, so protecting your account should require more than a standard password.

Please let me know what you think and if it is already in the roadmap.

Thanks,

4 Likes

Hi, welcome to the forums!

We’ve got it in our feature request list to add that if you’re signing up to Netlify with the email/password combo.

For now, though, we recommend that if you need 2FA then sign up to Netlify with your google or github account and enable hardware specific-2FA on those instead, and that’ll grant you the equivalent level of protection.

1 Like

Thanks!

I had signed up using email and password because I like keeping my accounts separated in case one is compromised.

I’ll stay tuned to see if this ends up on the roadmap :slight_smile:

1 Like

We’ll let you know if we implement something like that - we do have an open feature request on it and will add this thread to the list of folks to notify if things change around our implementation.

1 Like

A post was split to a new topic: Signing up for netlify with google

Jamie caught my screw up on this thread: Signing up for netlify with google

Signing up with one of the repo providers and enabling 2-factor will give you the protection you seek. Ignore me saying Google. :wink:

1 Like

This is great, but I just want to reiterate that I’m using email login, not SSO. My request is to have 2FA for email users.

1 Like

@nraboy I’m with you, but I figured I’ve already authorised Netlify with GitHub and GitHub has u2f, so I deleted my Netlify account and re-signed up using my GitHub account. Note that you can change you email Netlify address having done that.

+1 for 2FA for email users.

I don’t want to use my GitHub or Google account, as I like to keep all my accounts separate too, like @nraboy, in case one is compromised, for extra privacy, and to avoid an extra dependency. I want to be free to delete any account I have anytime without compromising any others.

thanks for commenting on this. We know this is a desirable feature for many different reasons. I have added your voice to the chorus on the issue, @danielrlc!

1 Like

@perry any eta for this feature?

hey @Wdotis, I don’t have any updates at the moment, I’m afraid, but I did mention that there is still a strong interest in this being implemented on the relevant issue. I’ll absolutely update this thread when we get any news. Thanks for your patience.

+1 I’d like to also voice my strong support for 2-factor on email+pass accounts. My email account is more secure than my GitHub/GitLab/BitBucket accounts, so it’s a shame that I can’t use 2-factor with it.

Netlify is the last major service I still use that doesn’t support 2-factor natively.

1 Like

hey everyone!

You may have already heard, but in case you didn’t, Netlify now supports 2-FA (2-Factor Authentication) on accounts :flight_departure:

More info here:

Thank you all for your patience as we worked on implementing this :smiley:

1 Like

Invalid OTP message on 2FA using Microsoft Authenticator.

oh no, how annoying. Can you give us a bit more info? Has this previously worked for you?

I have tried to enable 2FA with Microsoft Authenticator. When I scan the QR and enter the OTP code, it says invalid OTP. I can’t enable it

hmm. thanks for letting us know! I will try and get more information. Are you able to use a different authentication device?

I just tested this (by installing microsoft authenticator on my phone and enabling 2FA on one of my netlify accounts) and was able to get it working no problem! Doesn’t mean i don’t believe its happening to you, but maybe it is something specific to your phone or your account?

Are you able to log in via a different 2FA device? are you able to get log in to your netlify account or are you logged out with no access? let us know and we can keep troubleshooting.

1 Like

I have tried with Microsoft authenticator and this time I am able to use it. Looks like something went wrong on the previous.