Why does the forums have different sign-up, and MORE security than Replit?

codingMASTER398 · August 7, 2022, 11:54am

When I made an account on the forums, I wasn’t logging in with Replit. Very odd, as Replit has Repl Auth and surely that would be easier to implement?

As an extra bonus however, the forums accounts actually have more security than Replit. 2FA exists here but not on Replit, and even though you can sign up on Replit with something like a Google account that has 2FA, if you signed up using a username and password you are locked with that and no-2FA as a login method indefinitely, so one password will always be a method to hijack the account. Seriously, this needs to be changed.

not-ethan · August 7, 2022, 11:58am

These forums use discouse and the sign up settings have not been changed other than adding a field for your Replit username. The stuff like 2FA are already built in and has not been disable. Replit auth has been brought up many times before and it has been said they are working in it. @LenaAtReplit any updates?

CodingCactus · August 8, 2022, 7:46am

Yeah it would make sense to actually validate the entered Replit usernames as well, I could just say my Replit account is amasad and there would be no validation.

IanAtCSTeach · August 8, 2022, 9:43am

Hi @CodingCactus yes it is currently just a text field which wouldn’t be required if we used Replit usernames as SSO.

JimmyPronto · July 17, 2023, 5:49pm

I can’t believe it has been nearly a year since this was posted and Replit still doesn’t have 2FA/MFA for email accounts. I signed up for premium before I realised how insecure my account is. I am going to have to try to get a refund and then port all of my work to a different account. So disappointing to have to deal with this in 2023

not-ethan · July 17, 2023, 9:55pm

I requested it in Decemeber and there were no replies from Replit staff Add increased account security

JimmyPronto · July 18, 2023, 4:47pm

That is pretty shocking. Surely adding 2FA via authenticator apps isn’t hard for a company like Replit?

IanAtCSTeach · July 19, 2023, 11:20pm

Hi @JimmyPronto thanks for your question.

At present you have three options for signing up and logging into replit.com: Google authentication, GitHub authentication and via an email address. Both Google and GitHub already allow for 2FA to be set up on the account.

We agree that having 2FA is important and it is slated to be included in a future update. I cannot comment on when that will ship, though. We want to get it right. However, if you want 2FA at the moment it is available, just linked to Google or GitHub logins.

Hope this helps!

JimmyPronto · July 20, 2023, 12:06am

Hi Ian,

Thanks for your response. Regarding this:

…if you want 2FA at the moment it is available, just linked to Google or GitHub logins.

Does this mean that if I link my GitHub account to my current Replit account, that I will have 2FA? The biggest issue I have is that my current account has a premium subscription and quite a bit of work that I don’t want to have to port over.

If not, please roll it out soon
There are good open source options out there for rolling authenticator codes, you don’t have to reinvent the wheel.

Thanks,
Jimmy

IanAtCSTeach · July 20, 2023, 12:09am

No, the account would have to be set up using your Github login.

not-ethan · July 20, 2023, 12:16am

You will retain your current subscription if you connect an account on https://replit.com/account

9pfs1 · July 20, 2023, 1:23am

2FA is useless if a user can still log in with a password. Since people who only use GitHub authentication can reset their password, 2FA is effectively useless if a user’s email account is compromised.

JimmyPronto · July 27, 2023, 10:22pm

Can you reset your password on GitHub with email alone if you have an authenticator app paired?