Two-factor authentication

First of all, thank you guys for the great product. I just love how seemingly simple and at the same time incredibly useful it is.

Now sometimes the information I store in Dynalist is somewhat on the sensitive side. It’s not like plain text passwords for my accounts, but maybe notes related to my clients or other things that make me have a second thought before putting that stuff in Dynalist. I feel like having a second factor in addition to password would make a great improvement over current email-password pair.

Probably time-based codes, like in google authenticator, would be the most approachable option by both development team and users. I personally use Yubikey whenever possilbe, so having that security key option via U2F (I guess?) would be really awesome for people like me.

Now this topic has been brought up a number of times in the comments of this forum:

• Major security concern
• 2019 September update (Archive document)
• What features would make the Pro plan more lucrative?

So I thought this feature request may be a good place to keep track of “likes” and comments on this subject, and hopefully will finally bring this feature to one of your releases.

Thanks!

You probably want an established company with high paying bug bounties and thousands of security researchers running the 2FA login. That’s why I sign into Dynalist via the Google SSO button. It requires my Yubi key be pressed, my phone notification be unlocked and tapped, my password be unleaked, and artificial intelligence will challenge me further if my IPs geographic location is unusual or my computer and browser changes. Only then can I access my Dynalist. My original Dynalist password is pseudo-disabled by logging out, pressing Forgot Password, and setting it to a ridiculously long string that I didn’t save.

Hi BigChungus,

Thank you for sharing your positive experience with Google sign-in.
As for me, this all looks fantastic until Google algorithms decide that account should be banned. Unfortunately, this happens and even when it happens due to a mistake there isn’t much that can be done to remove ban.
I prefer to keep Google authentication away from services that are important for me.

Thank you

Just use DynaList forgot password button and add a new Google account if it gets banned.

And if the dynalist algorithms coincidentally decide to ban you at the same time, just go in your Dropbox backup and import that to your new account.

Just use DynaList forgot password button and add a new Google account if it gets banned

Can you elaborate a bit on how does this work without access to the banned Google mail?

Also thank you for providing an interesting alternative to 2FA

Don’t use Google mail

It’s not an alternative to 2FA it is 2FA

Not really. Using Google account to sign-in is actually called Single Sign-On. The sign-in process may include verifying second factor indeed, as you describe in your scenario, but this is not necessary the case. It is possilbe to have MFA enabled on Google account, and still get no second factor requests while on SSO login to Dynalist with Google account.

1. Open your Google Account. You might need to sign in.
2. Under “Security,” select Signing in to Google.
3. Choose 2-Step Verification.
4. Under “Devices you trust,” select Revoke all.
5. Don’t click " Don’t ask again on this computer ." any more.

I’ve lost a few accounts on some services when Google decided to ban my account for absolutely no reason. I do want 2FA but I ain’t ever going to use Google’s “better than 2FA sign-in”.

Most systems now support 2FA tokens, either through an authenticator or e-mail or whatever. Anything is better than the current password-only sign-in (except SMS 2FA of course). Even a “randomly long password” has security concerns has leaks can and do happen. I obviously can’t really be sure Dynalist isn’t storing my password as plaintext (which is still fairly common).

Trusting 2 canadians to not ban your 2FA vs trusting the 5th largest corporation on Earth to not ban your 2FA is a very subjective purpose for a feature request.

You are completely missing the point. It is not subjective at all.
Yes, I do trust 2 Canadians trying to make a living through building applications to be useful to customers over the 5th largest corporation on Earth known for banning people heuristically and that makes most of its money from simply having and mining millions of users.

Let me break it down for you.

In the case of Dynalist:

• According to the Terms of Service - Dynalist, you can only get banned if you upload copyrighted/illegal content, and do so repeatedly.
• According to Shida, this has never happened, and with a quick Google search I haven’t found anyone complaining about getting their account banned.
• There could be other reasons such as somehow abusing the system in some way, which I’m sure if your account does get disabled for it, you could reach support to come to an understanding.

In the case of Google:

• Take a look at the large list of reasons for why your account can be banned. Now this all seems like stuff you generally wouldn’t/shouldn’t do, except Google can and does in 99.999% of cases detect these through algorithms, meaning they can and do have a fairly substantial amount of false-positives.

• Even something as innocent as backing up your photos to Google Drive which include intimate pictures of your partner can get your account disabled, as per the previous link.

• The likelihood of having any single one of Google’s dozens and dozens of services you use getting flagged by an AI that crawls your data is considerably high. Surely you can see how this is much more likely than Dynalist ever banning you from the one thing you use it for, specially if you never share your content with anyone. As you say, there’s no way a 2-man team would have built an AI to crawl your content or that they would somehow decide to look at your account out of the many accounts they have.

• There are thousands and thousands of cases online from people getting banned by Google. While if you did get banned from Dynalist you could create posts on social media that would fairly negatively affect the owners, Google absolutely does not care. In fact, 99.9% of ban appeals seem to get automatic answers. As with literally every service that Google provides (aside from Google Business), it is impossible to get a hold of a human for support, to make a ban appeal case or something else. Obviously this wouldn’t be the case in Dynalist.

Google is not the saint of a company you seem to think it is.

With all that said, this isn’t about any single service. In the unlikely event that your Dynalist account gets banned, that’s only one service that is affected, which is most likely backed up so it’s not a huge deal. If your Google account gets banned or even disabled temporarily (a far more likely event), you have to:

1. Remember all the services that you used SSO in
2. Contacting possibly large amounts of customer support to get your account back, pray that that will even work. It’s a fairly painstaking process. I should know, it happened to me.

Lastly, you don’t seem to understand what 2FA means at all. Dynalist doesn’t have 2FA just because it has Google sign in, since you can login with a password. Putting a random password that you hide deep down in your basement is an ignorant solution. Whether you think you’ve done this safely or not is irrelevant, as 2FA is meant to protect all users, not just the careful ones. The many risks with just using a password is the very reason why 2FA exists. Password strength is only one of the problems. You seem smart, so I’m going to let you figure this one out.

No matter what 2FA is in place, one invented from scratch on the java server running dynalist, or the one run by 10,000 security engineers with doctorates in computer science, it’s all the same in the end if it stops working for any reason. Google banning you is a very minor inconvenience - you can still get into your dynalist account via the forgot password button on the dynalist login screen. Even if you get every single thing you’re requesting, it will still work that way. Obviously, don’t use gmail for password resets.

You should perhaps make a hackernews post to your essay on why SSO should be eliminated from the web, and you’ll get security professionals in the comments explaining why SSO is better than re-invent-the-wheel login systems. In the modern web security, SSO seems here to stay as far as I can tell.

I see you missed the point again.

Even if you get every single thing you’re requesting, it will still work that way.

No, it won’t. Or rather it shouldn’t. I feel like you’ve never used 2FA or had to recover an account with 2FA. If you lose your 2FA and recovery codes, you shouldn’t be able to just disable or reset it through a recovery e-mail. Again, that is completely insecure. Example from Discord.

As for “reinventing the wheel”, I really don’t know what you’re talking about. There are tons of TOTP libaries out there. What you’re saying is akin to saying dynalist shouldn’t use HTTPS because you shouldn’t trust 2 random people to “invent TLS from scratch.” There’s nothing to implement, only integrate.

Sure, you can ask the devs to stop manually recovering deleted documents and poking around bugs and recovering accounts when you just email and say please. There are threads on that. Sure, it’s related to security, but it’s a seperate thread than Google SSO 2FA vs in-house 2FA. For that, you just say that google is more likely to ban you. And that has no evidence. Dynalist has like 1000 active customers, google has a billion. I wouldn’t call dynalists < 1 in 1000 ban rate evidence of a low ban rate. Plus you can make a google account exclusively for dynalist, and never use any google service. You think people have been banned for logging into SSO? Plus you can use Dropbox backups, and sync dropbox backups to your local NAS backups. So how are you going to lose data when google bans your account for no reason? You’re trying to make a generalized “Big Tech SSO 2FA is worse than In-house 2FA” argument without any solid reasons, just separate security issues and poor backup sync settings, etc. If you can write a “Big Tech SSO 2FA is worse than In-house 2FA” essay on hackernews and not get torn apart in the comments then maybe you’ll be on to something.

So, we can either:

1. have dynalist users use TOTP, which practically every important service nowadays supports, where it’s stupidly easy for devs to integrate and stupidly easy for users to securely use.
2. have users create a separate google account for Dynalist, and possibly every other service that doesn’t feel like implementing 2FA because “we have Google SSO anyway”, while relying on them to securely make their own backups and NOT lose them. Clever.

Plus you can use Dropbox backups, and sync dropbox backups to your local NAS backups. So how are you going to lose data when google bans your account for no reason?

How many Dynalist users do you think will end up making a separate Google account just to use Dynalist? There’s loads of people that use everything Google, so that includes GMail, Google Drive, SSO. For those users, having their Google account banned would result in loss of all data.

To clarify, I want 2FA for 2 reasons:

1. it protects all users from losing their data, not just the ones that are specially careful with backing up everything to multiple locations, etc…
2. it prevents unauthorized access through password leaks and other such problems

Whilst #1 doesn’t apply to me (or you) and that’s what you seem to be arguing for the most, #2 is equally important.

If you can write a “Big Tech SSO 2FA is worse than In-house 2FA” essay on hackernews and not get torn apart in the comments then maybe you’ll be on to something.

I never said that. You’re again missing the point. You don’t seem to realize Dynalist DOES NOT have 2FA. So because you can’t get that through your head, we’re done here.

Not really. Tons of huge websites offload their TOTP and 2FA to SSO providers.

Yeah, I agree we’re done if your argument is SSO 2FA can’t be 2FA. No true scotsman fallacy basically.

Speaking of logical fallacies, that’s a strawman argument. You keep arguing things I have never said. Google’s SSO is very secure, yes. But 2FA means you need 2 factors to login. Currently you can login with just a password to Dynalist. There’s no way to enforce 2FA, therefore there is no 2FA. The security of the main door to your house isn’t really important if your backdoor has no lock.

You don’t set a Dynalist password in the first place if you are choosing the 2FA option. Create your dynalist from SSO at the outset. The whole point a using Google SSO and setting 2FA in Google is that there’s no way to login to dynalist without 2 factors. Your email should have it’s own 2FA as well. If you are the one creating that second way to login via Dynalist via a password and leaving your email inbox unsecured for password resets, how’s that anyone’s fault but yours? The 2FA is there, but you’re making a story where you yourself render the 2FA useless by creating the backdoors.

I’m late to the conversation but we store the salted hash of your password with bcrypt, which seems to be pretty standard industry practice.