Two-factor authentication

It’s not an alternative to 2FA it is 2FA

Not really. Using Google account to sign-in is actually called Single Sign-On. The sign-in process may include verifying second factor indeed, as you describe in your scenario, but this is not necessary the case. It is possilbe to have MFA enabled on Google account, and still get no second factor requests while on SSO login to Dynalist with Google account.

1. Open your Google Account. You might need to sign in.
2. Under “Security,” select Signing in to Google.
3. Choose 2-Step Verification.
4. Under “Devices you trust,” select Revoke all.
5. Don’t click " Don’t ask again on this computer ." any more.

I’ve lost a few accounts on some services when Google decided to ban my account for absolutely no reason. I do want 2FA but I ain’t ever going to use Google’s “better than 2FA sign-in”.

Most systems now support 2FA tokens, either through an authenticator or e-mail or whatever. Anything is better than the current password-only sign-in (except SMS 2FA of course). Even a “randomly long password” has security concerns has leaks can and do happen. I obviously can’t really be sure Dynalist isn’t storing my password as plaintext (which is still fairly common).

Trusting 2 canadians to not ban your 2FA vs trusting the 5th largest corporation on Earth to not ban your 2FA is a very subjective purpose for a feature request.

You are completely missing the point. It is not subjective at all.
Yes, I do trust 2 Canadians trying to make a living through building applications to be useful to customers over the 5th largest corporation on Earth known for banning people heuristically and that makes most of its money from simply having and mining millions of users.

Let me break it down for you.

In the case of Dynalist:

• According to the Terms of Service - Dynalist, you can only get banned if you upload copyrighted/illegal content, and do so repeatedly.
• According to Shida, this has never happened, and with a quick Google search I haven’t found anyone complaining about getting their account banned.
• There could be other reasons such as somehow abusing the system in some way, which I’m sure if your account does get disabled for it, you could reach support to come to an understanding.

In the case of Google:

• Take a look at the large list of reasons for why your account can be banned. Now this all seems like stuff you generally wouldn’t/shouldn’t do, except Google can and does in 99.999% of cases detect these through algorithms, meaning they can and do have a fairly substantial amount of false-positives.

• Even something as innocent as backing up your photos to Google Drive which include intimate pictures of your partner can get your account disabled, as per the previous link.

• The likelihood of having any single one of Google’s dozens and dozens of services you use getting flagged by an AI that crawls your data is considerably high. Surely you can see how this is much more likely than Dynalist ever banning you from the one thing you use it for, specially if you never share your content with anyone. As you say, there’s no way a 2-man team would have built an AI to crawl your content or that they would somehow decide to look at your account out of the many accounts they have.

• There are thousands and thousands of cases online from people getting banned by Google. While if you did get banned from Dynalist you could create posts on social media that would fairly negatively affect the owners, Google absolutely does not care. In fact, 99.9% of ban appeals seem to get automatic answers. As with literally every service that Google provides (aside from Google Business), it is impossible to get a hold of a human for support, to make a ban appeal case or something else. Obviously this wouldn’t be the case in Dynalist.

Google is not the saint of a company you seem to think it is.

With all that said, this isn’t about any single service. In the unlikely event that your Dynalist account gets banned, that’s only one service that is affected, which is most likely backed up so it’s not a huge deal. If your Google account gets banned or even disabled temporarily (a far more likely event), you have to:

1. Remember all the services that you used SSO in
2. Contacting possibly large amounts of customer support to get your account back, pray that that will even work. It’s a fairly painstaking process. I should know, it happened to me.

Lastly, you don’t seem to understand what 2FA means at all. Dynalist doesn’t have 2FA just because it has Google sign in, since you can login with a password. Putting a random password that you hide deep down in your basement is an ignorant solution. Whether you think you’ve done this safely or not is irrelevant, as 2FA is meant to protect all users, not just the careful ones. The many risks with just using a password is the very reason why 2FA exists. Password strength is only one of the problems. You seem smart, so I’m going to let you figure this one out.

No matter what 2FA is in place, one invented from scratch on the java server running dynalist, or the one run by 10,000 security engineers with doctorates in computer science, it’s all the same in the end if it stops working for any reason. Google banning you is a very minor inconvenience - you can still get into your dynalist account via the forgot password button on the dynalist login screen. Even if you get every single thing you’re requesting, it will still work that way. Obviously, don’t use gmail for password resets.

You should perhaps make a hackernews post to your essay on why SSO should be eliminated from the web, and you’ll get security professionals in the comments explaining why SSO is better than re-invent-the-wheel login systems. In the modern web security, SSO seems here to stay as far as I can tell.

I see you missed the point again.

Even if you get every single thing you’re requesting, it will still work that way.

No, it won’t. Or rather it shouldn’t. I feel like you’ve never used 2FA or had to recover an account with 2FA. If you lose your 2FA and recovery codes, you shouldn’t be able to just disable or reset it through a recovery e-mail. Again, that is completely insecure. Example from Discord.

As for “reinventing the wheel”, I really don’t know what you’re talking about. There are tons of TOTP libaries out there. What you’re saying is akin to saying dynalist shouldn’t use HTTPS because you shouldn’t trust 2 random people to “invent TLS from scratch.” There’s nothing to implement, only integrate.

Sure, you can ask the devs to stop manually recovering deleted documents and poking around bugs and recovering accounts when you just email and say please. There are threads on that. Sure, it’s related to security, but it’s a seperate thread than Google SSO 2FA vs in-house 2FA. For that, you just say that google is more likely to ban you. And that has no evidence. Dynalist has like 1000 active customers, google has a billion. I wouldn’t call dynalists < 1 in 1000 ban rate evidence of a low ban rate. Plus you can make a google account exclusively for dynalist, and never use any google service. You think people have been banned for logging into SSO? Plus you can use Dropbox backups, and sync dropbox backups to your local NAS backups. So how are you going to lose data when google bans your account for no reason? You’re trying to make a generalized “Big Tech SSO 2FA is worse than In-house 2FA” argument without any solid reasons, just separate security issues and poor backup sync settings, etc. If you can write a “Big Tech SSO 2FA is worse than In-house 2FA” essay on hackernews and not get torn apart in the comments then maybe you’ll be on to something.

So, we can either:

1. have dynalist users use TOTP, which practically every important service nowadays supports, where it’s stupidly easy for devs to integrate and stupidly easy for users to securely use.
2. have users create a separate google account for Dynalist, and possibly every other service that doesn’t feel like implementing 2FA because “we have Google SSO anyway”, while relying on them to securely make their own backups and NOT lose them. Clever.

Plus you can use Dropbox backups, and sync dropbox backups to your local NAS backups. So how are you going to lose data when google bans your account for no reason?

How many Dynalist users do you think will end up making a separate Google account just to use Dynalist? There’s loads of people that use everything Google, so that includes GMail, Google Drive, SSO. For those users, having their Google account banned would result in loss of all data.

To clarify, I want 2FA for 2 reasons:

1. it protects all users from losing their data, not just the ones that are specially careful with backing up everything to multiple locations, etc…
2. it prevents unauthorized access through password leaks and other such problems

Whilst #1 doesn’t apply to me (or you) and that’s what you seem to be arguing for the most, #2 is equally important.

If you can write a “Big Tech SSO 2FA is worse than In-house 2FA” essay on hackernews and not get torn apart in the comments then maybe you’ll be on to something.

I never said that. You’re again missing the point. You don’t seem to realize Dynalist DOES NOT have 2FA. So because you can’t get that through your head, we’re done here.

Not really. Tons of huge websites offload their TOTP and 2FA to SSO providers.

Yeah, I agree we’re done if your argument is SSO 2FA can’t be 2FA. No true scotsman fallacy basically.

Speaking of logical fallacies, that’s a strawman argument. You keep arguing things I have never said. Google’s SSO is very secure, yes. But 2FA means you need 2 factors to login. Currently you can login with just a password to Dynalist. There’s no way to enforce 2FA, therefore there is no 2FA. The security of the main door to your house isn’t really important if your backdoor has no lock.

You don’t set a Dynalist password in the first place if you are choosing the 2FA option. Create your dynalist from SSO at the outset. The whole point a using Google SSO and setting 2FA in Google is that there’s no way to login to dynalist without 2 factors. Your email should have it’s own 2FA as well. If you are the one creating that second way to login via Dynalist via a password and leaving your email inbox unsecured for password resets, how’s that anyone’s fault but yours? The 2FA is there, but you’re making a story where you yourself render the 2FA useless by creating the backdoors.

I’m late to the conversation but we store the salted hash of your password with bcrypt, which seems to be pretty standard industry practice.

Dear All,
first of all, many thanks to @ Art_Stnk for bringing up this topic. I gather from the earlier correspondence that the present conversation is the latest on the topic of 2FA, so I thought that I would add my two cents’ worth here. I have nothing to contribute on the earlier discussion as far as the technical aspects are concerned - I simply want to second Art_Stnk’s request for a proper, stand-alone 2FA procedure. I am considerably restricted in my use of Dynalist as long as I cannot protect my account with 2FA and I hope that this feature becomes available soon. Dynalist is a powerful tool, but the missing 2FA means that I am constantly looking for alternatives that I would also be able to use professionally.

Kind regards
Knut

Like many other users of Dynalist (218+ people right now) I would like a proper, stand-alone 2FA. Because I do not want to rely on Google/big tech for 2FA.

@Shida Could you also add support for U2F security keys for Dynalist 2FA? (Like the Yubikey)

I hope we never switch from Google’s world-class artificially backed 2FA SSO with thousands of phD computer scientist security researcher eyes on it’s codebase. It will demand my yubikey just because I logged into dynalist in a new town. It’s great. Or at least keep the option for those of us not jazzed about ever trusting some from-scratch reinvention of the wheel. There are other ways to protest big tech politics. At least ask for Apple SSO or Facebook SSO. What free 2FA codebase are you folks clamoring for? Cryptography isn’t something you want to ask any small programming team to implement themselves.

We will likely be looking into time-based tokens (TOTP) for 2FA as a first step. Every company implements 2FA a bit differently, some with stricter restrictions (if you lose it, you lose access forever vs customer support can “reset” your 2FA). Will think about it.

#2fa

The most unhelpful feature ever made in humanity so far. if you lose anything with an account, you lose everything. Just look at the endless problem people have with google. Have 2fa turned off for everything. Anything with 2fa on by default, I run light years away.

Really looking forward to native 2FA support being added to Dynalist. As a service which may store sensitive data, the lack of 2FA support is a major omission. Hopefully the work required is relatively minimal and support can be made available in the near future.