2FA for Passcode Lock (Every local sign-in)

[nukercharlie]

Is it possible for my account to require my 2FA code for every local login in addition to the local Passcode Lock that I have set or is it only available to be added on initial sign in to my Standard Notes (Extended) account?

[moughxyz]

2FA only applies to initial sign in. Requiring it on app unlock might be possible, but a bit out of the way, because currently all the validation logic for 2FA happens on the server and not the client. We'd need to introduce client-side validation for it to work for local unlock. Interesting idea, but probably not anytime soon.

[alperenguman]

@mobitar I know you are probably swamped with higher priority issues for this great product but maybe instead of requiring 2FA on app unlock, you could give us an option to set an automatic log out after a certain amount of time or every time. This would be easier to implement from a developer perspective and here's why it would be extremely helpful for the end-user:

If I'm signed in to standard notes on my laptop and I get this device stolen, the attacker now has unlimited chances for brute-forcing a flimsy app-unlock password. We can't remotely sign out of that machine à la Whatsapp Web either. However if the app automatically signed out and deleted local data after a certain amount of time, (or every time on higher risk devices) we would be effectively limiting risk exposure because 2FA is required to sign-in again. Having 2FA enabled offers very little security benefits imo if it's only going to be used 1 time.

I hope you'll consider implementing a timeout like this or a similar solution, it would be invaluable for me and I'm sure for many others. Thank you.

[moughxyz]

It's a valid use case. I think we'll build on this in the future.

[harrisondesbrosses]

Hey @mobitar I was just about to make a post about this, because I thought that my 2FA wasn't working. So 2FA is only required when registering a new device? So even a sign out / sign in on my current devices shouldn't trigger a 2FA request when logging in, only if I were to try and install (or someone else were to!) on a new device? Thanks.

[JaspalSuri]

Hi @harrisondesbrosses, until Mo chimes in, I figured I could answer your question. 🙂

Regardless of whether a device was used previously, whenever a user signs out they are required to input the generated 2FA code each time they attempt to sign back in.

What exactly isn't working (with regards to 2FA) for you?

[JaspalSuri]

@alperenguman Currently, when logging into the app, you can uncheck the option to Stay signed in. The desktop/web app will then terminate the session whenever the app is refreshed or closed. That said, we still have plans for providing more options to shorten session lengths server-side! 🙂

[harrisondesbrosses]

@JaspalSuri

I'm running 3.4.10 on all of my machines (desktop, laptop (both macOS, but with desktop running 10.13.16 on a Hackintosh, and the laptop running Mojave)) and the latest version of iOS. I have never run Standard Notes in a browser; I didn't even know that was possible.

I can confirm that I am not ever prompted for a 2FA password upon opening Standard Notes.

When I open the 2FA manager extension link in "Extensions" – it reads as enabled, and I have recovery email disabled for security reasons, could that be it?

[JaspalSuri]

I can confirm that I am not ever prompted for a 2FA password upon opening Standard Notes.

Just to make sure - is this when you launch the app or log into Standard Notes? If you launch the app, it won't ask for your 2FA code. If you're logging into Standard Notes, it should ask for the 2FA code every time that you've logged in.

When I open the 2FA manager extension link in "Extensions" – it reads as enabled, and I have recovery email disabled for security reasons, could that be it?

I don't think it would. That just means that your account would be generally inaccessible (you would still be able to decrypt backups of your notes if you had them) if you lost access to your 2FA option.

[harrisondesbrosses]

@JaspalSuri

I'm confused, doesn't protecting my SN database with a password and quitting the app + then later opening the app and entering the password considered logging in? Maybe I'm confused about terminology here, but my issue is that I have never been prompted to enter my 2FA code upon opening the SN app after entering the database password.

Should I try signing out of the app completely and then signing back in? Now I think I understand!

[JaspalSuri]

I'm confused, doesn't protecting my SN database with a password and quitting the app + then later opening the app and entering the password considered logging in? Maybe I'm confused about terminology here, but my issue is that I have never been prompted to enter my 2FA code upon opening the SN app after entering the database password.

This is expected. One way to think about it is when logging into other services that provide 2FA, they provide an option to remember your browser. That way the next time that you have to sign in, they only ask for your password unless you've cleared out your browser's cookies.

With a passcode lock, most users are expecting one form of authentication as they might find themselves unlocking the app several times a day. You're already logged in and the keys generated from your password encrypt your data. From there, your passcode encrypts your keys.

Should I try signing out of the app completely and then signing back in? Now I think I understand!

Yes, that should achieve the desired affect. In order to be logged out automatically and more frequently, uncheck the option to Stay signed in the next time you're trying to sign in; every time that you close the application, it will completely terminate the session.

[harrisondesbrosses]

@JaspalSuri
Got it! All clear on how 2FA works within SN now, and it makes sense for me to stay signed in. I'm happy to know that anyone else attempting to get into my account would most likely run into 2FA via installing SN on their machine and so forth :)

One last question, I never noticed the strict sign in option before, which is great! However, upon enabling it, I received the following error message. What can I do to get past this? I had to disable strict sign in for now in order to access my data.

[JaspalSuri]

Hi @harrisondesbrosses,

(re: 2FA) I'm glad to hear that!

Currently the latest encryption specification for accounts is v004. This hasn't been rolled out to everyone yet, so strict sign in won't work for your account yet.

If you'd like to upgrade your account's encryption, please download a backup of your notes outside of it's default backup folder and click on Account > Change Password. Changing your password will upgrade your account's encryption to the specification used for v004 and you should be able to use strict sign in. 🙂

[harrisondesbrosses]

@JaspalSuri Ok, with regards to my other devices... should I log out on them before doing this on my desktop to prevent issues?

[JaspalSuri]

I think you would have to log out of them anyway, so logging out in advance might be a good idea.

[harrisondesbrosses]

I can confirm this worked! Thank you.

[JaspalSuri]

You're welcome; thanks for letting us know! I'm glad to hear that it worked out! 🙂