Add 2FA

[MagicLike]

For obvious security reasons (e.g. on a large scale), I would say that the option to use 2FA is a requirement.

[ThatOneCalculator]

Yes, please! I love using Umami but I feel this is something that's very necessary to add.

[boooong123]

Any updates on this feature request?

[samumatic]

2FA options like:

• WebAuthn
• OTP
• E-Mail

would be a secure basis.

[h0ek]

+1

[sudiptosarkar]

I just installed Umami, and I'm loving it already. But considering the fact this is a public facing service, the 2FA is a crucial missing ingredient.

Few ideas to begin with, on top of the options laid out by @samumatic:

• TOTP (Google Authenticator and stuff)
• Passkey (Fingerprints on phones and laptops, Face signin on Windows (works on Edge and Firefox for me, Chrome should work too))

[VMBindraban]

Any progress on this?

[mgntrn]

I'd like this too :)

[dewald-els]

We are looking at using Umami but unfortunately without 2FA we can not proceed. Is this something that is in the roadmap?

[rakurtz]

Very much appreciate this too. 2FA is a must on a public facing site these days.

[0xA1F1E]

I am baffled that this feature request for a basic security feature like 2FA is 3 YEARS old! How has this not been implemented yet? Very much required for a service that is meant to be running publicly.

[h0ek]

I am happy to donate some 🪙 for this :) just let me how much you need 💸

[MitchellSimY]

Bump - I love to see this feature please. In the current self-hosted version of Umami, it appears that one could possibly brute force the UI. I would really love if there was email 2FA we can set up.

[sudiptosarkar]

@MitchellSimY, Email is more of a hassle than say, Google Authenticator.

We'd have to setup SMTP server connections.

[MitchellSimY]

I see - I wouldn't mind an Authenticator app at all either! That'd be cool

[guiyumin]

wow, still no 2fa

[drefrajo]

2fa would be very good to see indeed.

Especially TOTP and WebAuthn seem practical. (also, passkeys instead of username/password/2fa would be neat as well)

[boutterudy]

I like the idea of adding 2FA functionality to Umami, but in your opinion, which approach would be best suited to Umami for implementing 2FA via an app (e.g. Google Authenticator, Proton Authenticator, etc.)? 👀

A. Mandatory for logging in, enabled for everyone
B. Configurable in settings (toggle), disabled by default
C. Configurable in settings (toggle), enabled by default
D. Other approach

Personally, given that this is an open-source application used by many people, I would tend to initially allow the admin to configure it (toggle), and then, at a later stage (once the system is fully in place, functional and tested), potentially make it mandatory to improve Umami’s security 💯

Initially, I could see the 2FA system being enabled by default for all new Umami installations, and disabled by default for existing installations (to avoid causing a mess for existing users) 🤔

What do you think? 👀

[sudiptosarkar]

I like the idea of adding 2FA functionality to Umami, but in your opinion, which approach would be best suited to Umami for implementing 2FA via an app (e.g. Google Authenticator, Proton Authenticator, etc.)? 👀

A. Mandatory for logging in, enabled for everyone B. Configurable in settings (toggle), disabled by default C. Configurable in settings (toggle), enabled by default D. Other approach

Personally, given that this is an open-source application used by many people, I would tend to initially allow the admin to configure it (toggle), and then, at a later stage (once the system is fully in place, functional and tested), potentially make it mandatory to improve Umami’s security 💯

Initially, I could see the 2FA system being enabled by default for all new Umami installations, and disabled by default for existing installations (to avoid causing a mess for existing users) 🤔

What do you think? 👀

B., @boutterudy

[MitchellSimY]

Configurable for sure.

I wouldn't mind built in support for an Authenticator app. I'd also be totally down for configurable SMTP values for email support too. Eg we provide our own SMTP values etc.

[boutterudy]

@sudiptosarkar @MitchellSimY Thank you very much for your replies! 🙏

I’ve been working on a 2FA implementation with a more refined system than simply forcing it on everyone: administrators can make 2FA required for everyone; or just for certain teams; or just for certain users; it’s more flexible and seems well-suited Umami's features! 👏

Please feel free to take a look at the pull request and give me some feedback on the code or security. I’ve done my best, but I’m 100% open to your feedback! 🫶

Pull request: #4205