When I made an account on the forums, I wasn’t logging in with Replit. Very odd, as Replit has Repl Auth and surely that would be easier to implement?
As an extra bonus however, the forums accounts actually have more security than Replit. 2FA exists here but not on Replit, and even though you can sign up on Replit with something like a Google account that has 2FA, if you signed up using a username and password you are locked with that and no-2FA as a login method indefinitely, so one password will always be a method to hijack the account. Seriously, this needs to be changed.
These forums use discouse and the sign up settings have not been changed other than adding a field for your Replit username. The stuff like 2FA are already built in and has not been disable. Replit auth has been brought up many times before and it has been said they are working in it. @LenaAtReplit any updates?
Yeah it would make sense to actually validate the entered Replit usernames as well, I could just say my Replit account is amasad and there would be no validation.
I can’t believe it has been nearly a year since this was posted and Replit still doesn’t have 2FA/MFA for email accounts. I signed up for premium before I realised how insecure my account is. I am going to have to try to get a refund and then port all of my work to a different account. So disappointing to have to deal with this in 2023
At present you have three options for signing up and logging into replit.com: Google authentication, GitHub authentication and via an email address. Both Google and GitHub already allow for 2FA to be set up on the account.
We agree that having 2FA is important and it is slated to be included in a future update. I cannot comment on when that will ship, though. We want to get it right. However, if you want 2FA at the moment it is available, just linked to Google or GitHub logins.
…if you want 2FA at the moment it is available, just linked to Google or GitHub logins.
Does this mean that if I link my GitHub account to my current Replit account, that I will have 2FA? The biggest issue I have is that my current account has a premium subscription and quite a bit of work that I don’t want to have to port over.
If not, please roll it out soon
There are good open source options out there for rolling authenticator codes, you don’t have to reinvent the wheel.
2FA is useless if a user can still log in with a password. Since people who only use GitHub authentication can reset their password, 2FA is effectively useless if a user’s email account is compromised.