I originally created this as a request on GitHub for Seahub:
I really appreciate your work on Seafile/Seahub and, while I understand the requirement to differentiate the Pro version for monetisation reasons, disallowing two-factor authentication (2FA) for the community version is, for me, an odd and potentially dangerous decision.
Two-factor authentication should not be considered a feature. It is a fundamental necessity in the modern cloud era to protect our information from malicious attackers and provides a hugely comforting safety net in a situation where a password is stolen or compromised.
I sincerely hope that you will consider enabling this feature for the community version of Seafile/Seahub, for the sake of your users’ safety and security.
yes - i think, that safty features should be available in all versions.
Imagine the reputation damage, if one must admit, a hack on seafile only succeeded because no 2fa was available.
i say it again - do all kind of controlling features in pro (ldap, statistiks, tracking, …).
in business this kind of things are needed.
safty features are essential and should be available to everyone!!!
@Ludger Agreed completely. We’ve already seen the massive backlash that can occur over security incidents on personal cloud services with the recent NextCloud incident.
2FA is a golden standard for easy and reliable security. It should be available for free on all platforms and applications.
I also agree that features like LDAP, analytics, statistics and other “enterprise”-oriented features can be fairly justified for inclusion in the Pro version only. It is important for the Seafile company to be able to monetise their product, and most business customers are more than happy to pay for such features.
@daniel.pan@Seafile-Team
I would like to ask you, think again about 2FA for Community Edition.
Nowadays is a must-have, to secure a login via a 2FA mechanism. But I can also understand that the implementation of this function has cost some resources. It would be conceivable over a donation (Crowdfund),to make this feature available in Community Edition?
Personally, I do not think it would be useful if we have a second implementation only for the Community Edition. That would increase the effort of maintenance only.
I am so glad to hear that, thanks for the effort!
Will WebDAV access be possible with 2fa? Will we need to use a token instead of a password for authentication?
What’s the problem with WebDAV? I don’t think it’s less secure than the seafile protocol. A solution could be to use a token as a password (of course, with all of the changes that that would need to work).
But if you require your 2FA token instead of the password for the WebDAV authentication, you actually don’t have two factors anymore, because the first factor, your password, is not used anymore.
And I don’t think that this can possibly work without support for something like that in the HTTP/WebDAV protocol and actually any WebDAV client.
Once you login using 2FA (or not), the server gives the client you are using a token to authenticate its requests, that token can be targeted (the token will only allow the client to upload a file, or access a specific resource, with the server being able to trace changes back to the owner of the token) and/or temporal (it will only last for 7 days), unlike a password that allows you to impersonate the user to the latest extent. The token in this case is used to identify something else than the user, a client that can access the WebDAV service. Because of that, if a token gets leaked, the situation isn’t as bad as having a password leak, and it’s easier to detect too.
But if you require your 2FA token instead of the password for the WebDAV authentication, you actually don’t have two factors anymore, because the first factor, your password, is not used anymore.
yes - maybe its possible to kombine both to one long password.
password+token=InternalUsedPassword
this way you need both and it should be possible to implemented easily
I have installed v6.2 and it looks very good.
The only thing which I am missing is the visible code (not the QR code).
‘Normally’ this code is printed under the QR code, so I can write it down or store it in my online safe.
I found the code in the source code (when the QR code is displayed), but it would be handy when it is printed on the screen.
Again; very good and thank you for integrating 2FA in the CE.