I’m thinking this isn’t important b/c PL has no private/personal info such as account numbers, nor any personal info about the users themselves. I don’t think it needs 2FA at this time.

It does however have your email and how much money you have in the bank, investments & retirement funds.

With this information they know who to attack, who is worth attacking and where to attack. This would be plenty to start a spear phishing campaign to go after their retirement funds or investments if they know they have 1m sitting there.

The more info I add to PL the more I feel this is a necessary feature

I second @Skyr’s perspective. As a simple projection planning tool with approximate details, I don’t really see a need for 2FA. However the more information I add to this for more accurate simulations & planning, the more I feel like 2FA is mandatory.

TOTP/FIDO or U2F options are ones I’d like to see - they’re the better MFA options anyways, but also won’t trigger extra direct costs like SMS services would.

Yep I would say TOTP - Best experience / security SMS - Good for newbies but less secure and insures a cost FIDO - Great but a nice have as it’s only really used by more technical people

I also had a thought that might make this lower priority. If you use Google login then you do get MFA but it would be nice to not rely on social logins.

I upvoted and strongly advocate for the use of TOTP authenticator apps rather than SMS

As Lee mentioned, using a 2FA-enabled Google account for login should be pretty effective for now.

Google account for 2fa is fine, however if we have already purchased lifetime with an “Email” account rather than a Google account, it seems like there is no workaround to “link” the accounts?

If you shoot me an email or message on discord, I may be able to help with that manually.

I also think this is a very important feature from a security perspective so I hope it will become the highest priority.

using a 2FA-enabled Google account for login is already possible, if it’s a concern for you.

Thanks that will work.

Sorry to be a contrarian, but I specifically did NOT use, and won’t use, a google account for log in.

1) Google/Gmail is already a juicy target and I want to minimize/slow the impact of a google account hack; it’s bad enough they can start using gmail for password recovery, I don’t need to provide instant access

2) if I ever want to “fire” google it’s that much harder if I am using it to log into everything else. I use a password manager for a reason.

So having an authentication based 2FA is my preferred solution.

Kyle, have you considered supporting passkeys instead of/in addition to 2FA? Don’t know how easy it would be to implement at this fairly early stage of penetration as a general purpose authentication medium, but it’ll probably be table stakes for personal financial applications before too much longer.

Fido2 and Passkeys support would be great

@Yannick, definitely lots of momentum for passkeys as an authentication standard: https://blog.google/technology/safety-security/passkeys-default-google-accounts/

I wish Changemap would support passkeys, too. ;)