Allow more 2FA Options
Whilst the recent enforcement of 2FA (via email) is a welcome addition to the security of High-Level, email based 2FA is unfortunately one of the least secure 2FA methods.
So, please add more 2FA options.
Including at a minimum TOTP codes (a global standard) that people can use through whatever TOTP App they use.
(E.g. Authy, Duo, Google Authenticator, Microsoft Authenticator etc).
And at the same time, please:
- Allow an agency to select what 2FA options they will allow to be used across their clients.
- Allow Admins of a sub-account to also have this level of functionality to select what 2FA options users in their Sub-Account can use IF the Agency gives it to them.
Adding proper MFA (i.e. not email) is really important. This really needs to be done guys. I would say put at the top of the development timeline
We 100% need this ^^^^^
TOTP as a minimum using an authentication app such as Authy/Duo/etc
And a nice to have would be direct integration with the more widely used ones so push notifications etc can be sent to the authenticator app.
Barry- Element IT
110% Nigel this is a bare minimum. Anything else like email and SMS 2FA is just too easy to hack.
Email-based 2FA is not Secure. 2FA with TOTP is best practice.
Critical. Both SMS and email are highly vulnerable.
100% need TOTP
Would love to see TOTP codes adopted. Email 2FA is a pain. This would secure login using Google Authenticator, 1Password, etc.
Definitely needed, email and SMS 2FA is both insecure (see SIM swapping), and incredibly inefficient and slow compared to TOTP codes that are supported by hundreds if not thousands of applications, password managers, and hardware keys of users choosing. Email 2FA means I have to switch to my email account, wait for the email to arrive, copy it, and paste it. With a password manager, it fills the TOTP code in for me and I don't even have to think about it (though if people want to separate their 2FA from their password manager, they still can--it's up to them).
2FA with TOTP = bare minimum.
2FA with Email and/or SMS = insecure dumb 2FA that probably shouldn't exist, should be able to be fully disabled for security, but can fill a compatibility niche for light users or those who don't pay attention to security.
I appreciate that there is some MFA, but having the password reset AND your second factor go to the same place seems like a breach waiting to happen. Please support TOTP with Google Authenticator (and those like it). Vote up!