Two-factor authentication

I wonder why Prismic has no support for two-factor authentication, except SSO in the much more expensive Platinum+ plan. Any SaaS vendor should have two-factor available by default for any plan (imo).

The risks are high: Hackers can make nasty changes to a website when they get their hands on a username + password. E.g., man-in-the-middle attacks where a hacker links to a ghost website and copies a login page.

Two-factor/SSO should not feature your pricing plan to let people upgrade. Mailchimp gives even a discount when you activate two-factor.

Hello @joost1, welcome to the community.

The product team has been discussing the possibility of adding 2FA, and we’re planning to add it at some point in the future. However, it’s not on our immediate roadmap, so I can’t share an ETA.

At the moment, as you said before, 2FA is only available through SSO login that we can activate on Enterprise plans.

Hi Pau

This is a very important feature for us as well, do you have any idea how far away this feature is?

Thanks for joining the conversation @schalk.bower.
We have no news at the moment.

Hi @Pau

Is there any news on this? Is there a channel where we can follow this topic?

Hey @kry, for the moment what you can do is create an account using GitHub's SSO

@Pau why is it not possible to see which users use Github SSO? What is the status for 2-factor support after a year?

My two cents: well know security concern, every system which could be publicly accessed by a pirate must be protected by MFA. No question about given current times

Thanks for the feedback @cptflammin.

@joost1 we don't have any news at the moment. You can get updates about all the features that we're working on on our progress page: What's new - Prismic

Hi, what's the status here?

Not having 2FA is far from today's best practices.

And having been warned repeatedly about this (see above) and not acting on it, I believe now exposes you to a certain amount of legal responsibility should people's accounts be hacked due to lacking 2FA...

Hello everyone.
For the time being, two-factor auth is only available through SSO login that we can activate on Enterprise plans.

But you can always use the GitHub SSO signup option if you aren't an Enterprise client.

hey team, any news on 2FA?

Hey @savio. We don't have any new updates on 2FA at this time. As mentioned before, it's only available through SSO login for Enterprise plans. However, you can still use the GitHub SSO signup option if you're not an Enterprise client.

Hi @Pau, is there any update on timeline for this much needed security feature? Thanks

Hi @CharlotteD,

We have no updates here. TFA is still available exclusively on enterprise plans or with GitHub SSO.

Sam

Just bumping this we have two or three clients requiring 2FA / MFA because they've had a security auditor ask why this isn't on all plans. Neither of these clients warrant a platinum plan - they have less than 20 pages and update their sites every 3 months or so. But their IT team is pushing for this so they can get a gold star from someone above them.

Thanks

R

@rob1 we are in the same boat. There is no need for anything other than SSO or at the very least 2FA at even a medium plan on both of our repos.

While I don't agree with the practice, I understand most SaaS companies lock SSO and other security features behind and enterprise tier, but this is 2024 and 2FA is a standard. For example the McDonalds app has this feature but as it stands we lack support for it on a critical part of our production infrastructure.

@garrett1 so what we've had to resort to is setting up a github plan for our client which has MFA activated - they now login using github and viola - we are supposedly gold star compliant.

The one user that updates the site every 3 months is soooo relieved as you can imagine .... sigh.