2FA for Zotero account

Hey!

Happy new year Zotero team, I'm wishing you the best for 2020 :)

Is there any plan to add 2FA for the Zotero accounts?

Thanks!
  • edited June 12, 2022
    I would find 2FA horribly inconvenient because I don't have confidential material in my Zotero library and I have my computer and tablet password protected and securely in my possession. At work, if I'm away from my desk even for a moment I place my computer into a state that requires my password to gain access. Although over the years I've devoted literally thousands of hours to my Zotero library, I have backups that protect me from loss.

    Do you want 2FA each time the local Zotero program is opened?
    Do you want 2FA every time your local Zotero syncs?
    Do you want 2FA every time access / edit your online library? Local library?
    Every time you add records using the iOS version?
    If not every time, how long should the idle interval be before the system times out and you need to logon again with 2FA?

    If this is seriously considered by the developers, please, please make it optional.

  • Yes, if 2FA were to be implemented, it would make sense to make it optional.

    As for the specific questions about implementation, most of my online accounts these days have 2FA implemented in such a way that, on a given device or browser. one only has to enter a 2FA code the first time one logs in. I assume the same could happen with Zotero.

    2FA helps prevent hacking. If my Zotero account were to be hacked, there would be the danger that valuable information could be lost and confidential information could be accessed.
  • In an era of cybersecurity and cyberattacks, an optional and reversible 2FA option would be key to protecting sensitive information.
  • Do you want 2FA each time the local Zotero program is opened?
    No.
    Do you want 2FA every time your local Zotero syncs?
    No.
    Do you want 2FA every time access / edit your online library? Local library?
    No.
    Every time you add records using the iOS version?
    No.
    If not every time, how long should the idle interval be before the system times out and you need to logon again with 2FA?
    I'm talking about Zotero account. Not about Zotero as the program.

    I want the 2FA to be required for each login. Let it be when you add your account to zotero or when you login to the forums.
  • I'm talking about Zotero account. Not about Zotero as the program.
    I don't think this is per-se impossible to do in an unintrusive way, but it'd obviously have to include the app -- since the app syncs all potentially sensitive information, anything else would be security theater. That could be done if connecting the app to your account would pull up an OAuth dialog with the website that requires MFA, or it'd require native MFA in the app. So certainly not impossible but also not simple. It also creates another area that requires fairly sophisticated and one-on-one support (if people lock themselves out).
  • > I don't think this is per-se impossible to do in an unintrusive way, but it'd obviously have to include the app

    Of course. But my point was that you can use the app without a Zotero Account. DWL-SDCA seemed think I was expecting a security when you open the app, I don't. All I want is to be sure that my Zotero Account, that I use for this forum and for sync are protected by what I consider to be modern standards.

    I was thinking of something like we all are used to for email for instance. When you use clients like thunderbird, you can add email accounts that requires 2FA, and you don't have to use 2FA everytime you open your inbox. Same thing on smartphone apps.

    For the rest of your comment, I agree.
    On the lock oneself out part, there's recovery codes for every 2FA systems I use, so I don't think it will require sophisticated support. But I can be wrong.

    Off topic: how do you make a post quote on this forum? I can't do what you did :(
  • Off topic: how do you make a post quote on this forum? I can't do what you did :(
    HTML works here:
    <blockquote>Quoted text</blockquote>
Sign In or Register to comment.