Implement 2-step verification

#21

looks to me like Google at least offers 2-factor authentication (https://support.google.com/accounts/answer/185839). so if you set up your Google account to use 2FA, and then you set up your iNat account to log in via Google authentication, then don’t you indirectly get 2FA into iNat that way?

#22

How would you log in to inat via Google authentication?

#23

Just want to toss in here that despite my best efforts I never remain logged in through my browser and have to re-enter username and pw every single session. I favor 2FI but implementing it when this flaw exists would probably discourage me from just hopping on for a quick look or upload.

1 Like
#24

Flaw? You should contact the devs.

1 Like
#25

https://www.inaturalist.org/auth/google_oauth2

#26

I’ll be honest–I hate two factor identification. It requires access to my phone at all times. Yes, I can set it to remember me, but that only lasts a few logins and then I am again scrambling to use my phone to verify myself. I’m not against security, but frankly, you’d think tech companies could find a better way. Your point about being hacked is important–I just wish there were a way to add more security without two-factor. At work, my connectivity is so bad that I can request an access code on my phone in the morning and receive it at the end of the day when I leave work–not great when I am trying to get into my own email.

1 Like
#27

totally agree. I think it’s overkill and if there are security issues we can find some other way to deal with them. I also don’t give websites my phone number, ever. If there’s any website i would give it to, it would be iNat, but i don’t like to encourage websites pushing that. Facebook ended up losing or selling a bunch of theirs.

2 Likes
#28

I’m pretty sure it’s a browser issue and I doubt Google cares.

1 Like
#29

I agree with @zoology123 and @wolfgang8741.

I personally would like to see 2-step verification as an option. I would like something like what is offered here on the forum. A completely optional setting to implement two factor identification, an authenticator of your choice, and/or a security key / backup code on your account.

4 Likes
#30

Perfect response.

1 Like
#31

Certainly possible to add as an option, but we would want to implement email verification for new accounts first. I’m personally not a fan of text or phone call based 2FA, but authentication apps are pretty cool.