Proposal to require TOTP or physical security keys to upload artifacts #12
Comments
|
I believe Modrinth has stated that they plan to allow enabling this on a per-author basis once they roll out their rewritten authentication. |
|
Other platforms that allow uploading code for other users to execute (eg. NPM) require 2FA for all users. While 2FA is inconvinient, I believe it should be a requirement, not an optional thing. |
|
I'm not sure if it's possible to require this for SSO? |
|
I'm happy with this as long as there is an option to manually enter the key. I don't always have my phone on me, and it's annoying to have to open Bitwarden on my phone and capture the QR code my screen due to a design oversight. |
The implementation would probably have to be entirely on the mod platform side without relying on auth partners.
Completely agree with the displaying the secret part, there are so many reasons to display it; In my case its loading the 2FA secret onto a bunch of yubikeys. As for requirements for implementation: I'm not an expert with 2FA implementations so I probably wouldn't be the best for this |
equiring TOTP or security keys for uploading artifacts could prevent attackers from uploading mods to compromised accounts in the event that a signing certificate is leaked; or if signing certificates aren't implemented, could also protect against credential stuffing
I mention specifically TOTP or physical security keys cause SMS 2FA is inaccessible to people without a consistent phone number and can be subject to sim swapping attacks. Email 2FA might also not be the best option cause those with reused passwords also likely reuse a password for their email.
The text was updated successfully, but these errors were encountered: