Would it be possible to add a 2FA option to the roonlabs.com accounts?
Something like an OTP code with Google Auth app (or compatible) or a FIDO2 hardware token (FIDO2: Moving the World Beyond Passwords using WebAuthn & CTAP).
Why do you want these options?
Thanks for you question Anthony.
I am a very security-aware user and I believe that 2FA is a reasonably simple to implement, yet very effective, technical countermeasure for protecting the confidentiality of users’ account from the risk of being breached or even hijacked.
6 Likes
Good shout, every site should offer MFA and TOTP Google style seems quite simple for developer’s and user’s alike.
It can only make things more secure, even though I have a lastpass password that would be fun for someone to hack.
4 Likes
Understood, so long as it is provided on an OPT-In basis. 2FA can be a real PITA if you don’t have the necessary device to hand when logging in.
One thing that all users should be made aware of is that if they post their logs on the forum it contains their roonlabs.com login email address. It may also contain other related information (software serial No. for example). I have certainly seen this in some users’ screenshots too, though I don’t know how sensitive this information is, as one doesn’t login to Roon with it.
2 Likes
I would absolutely agree re this. 2FA should at minimum be an option nowadays. 
Being hosted with Google would make Google Auth a logical choice maybe.
5 Likes
Opt in is fine but Google auth is a standard not just an app.
So you can use Authy, Microsoft authenticator, Duo and they all work fine if you don’t trust Google for whatever reason.
What @Michael_Harris writes is correct (check e.g.: Time-based One-Time Password - Wikipedia). TOTP is implemented in countless ways by commercial and OpenSource solutions alike (=no vendor lock-in whatsoever).
Combined with leaving the choice on whether to ativate 2FA or not for the Roon account to the users it would be a win/win for everyone (users like me who’d like to have this option available, users who don’t care or want to activate it and Roon).
1 Like
Given the evidence of lack of rudimentary computer savvies that many users here show. 2fa would exponentially increase the support burden without IMHO corresponding benefits.
True. But should not rule out an opt-in for those that can handle it?
3 Likes
+1 exactly my opinion as well
Not if you can’t log in to report it 
1 Like
Exactly my type of humor 
I fully agree - make it OPTIONAL and we’re fine. 2FA is often a solution in search of a problem, and profoundly aggravating when you don’t have your validating device nearby (something that happens far more often than people can imagine).
And no: Google is NOT a benchmark for trustworthy practices and privacy anywhere in the world.
1 Like
You can normally reset it via an email (and hoping you have your email I under 2FA)
But again it’s for those that can cope with it.
I have 20+ accounts protected via 2FA and I want them all protected that way.
More important when credit cards and valuable data involved… But not sure I want anyone knowing that I was listening to Barbie girl 
1 Like
Protecting Data rather than use of data is one of Googles true strong points.
When has Google ever had a Data leak like Adobe, Apple, Dropbox, Linkedin and Facebook…
Never because they make sure all their user’s user’s login’s are strongly protected. All the other’s (bar Apple had their accounts hacked by lack of 2FA and poor password higene). If Google lost it’s data on us all, then we would be far less valuable to them as a business.
Might not be the best reason, but it ends up in a very secure environment.
There’s a few posters that perhaps a mandatory 4FA would be appropriate. 
.sjb
3 Likes
John you are correct, but they will fight the hardest against even decent 1FA (or commonly known as a password)
not a fan of 2FA
the best security is still a strong password.
I agree to a point but even the strongest password can end up being compromised in a data leak etc. That’s where MFA helps.