2FA/MFA for the Console
The Neon console doesn't have 2FA for logins, just the password is enough. Which in my opinion is a huge vulnerability, because nowadays leaks and hacks happen all the time (both on hosted services, and on user machines), so all crucial systems must have at least 2FA options or ideally multiple to help mitigate.
The database being the most important asset of a system by holding personal, business and operation data, should also provide safe authentication.
From what I saw Neon Auth also doesn't have 2FA for app users. That should be in the backlog as well, but I think protecting the actual console is even more important to work on. Would love to know if it's in consideration, planned or being developed! Cheers
From what I saw Neon Auth also doesn't have 2FA for app users. That should be in the backlog as well, but I think protecting the actual console is even more important to work on. Would love to know if it's in consideration, planned or being developed! Cheers
10 Replies
sharp-indigoOP•2mo ago
This was first requested/suggested almost two years ago guys....
https://discord.com/channels/1176467419317940276/1182844778417750079
ambitious-aqua•2mo ago
Hey!
Indeed this has been asked for before, but typically we recommend enforcing 2FA using an OAuth provider instead. So, signing in with Google and having some form of 2FA on your Google account instead.
sharp-indigoOP•2mo ago
This is not enough, because we login with email only.
You guys should be the enforcer of 2FA
Do you understand the product need?
ambitious-aqua•2mo ago
We always appreciate the feedback, and our roadmap is very much demand based. I'll add this thread to our feature request doc to strengthen this request, along with the others.
sharp-indigoOP•2mo ago
I just think is such a basic security feature that you guys should not have to wait for people to ask.
Its like building a food delivery app without the option to track the courier, you shouldn't need users to ask for it, you provide from the start or early on cause it's important. The analogy applies to database platforms, reinforced security should be default.
You could argue that every one has a definition of basic and default, but for security it's more generalized. Everybody has that demand, just don't say out loud.
Appreciate any love you could give to this
deep-jade•2mo ago
+2 for this, would be more secure for production deployments
ambitious-aqua•2mo ago
I'll add your +1 to the document as well, thank you for your input!
genetic-orange•3w ago
this is indeed much needed
adverse-sapphire•2w ago
How hard is it to put 2fa on your console? A junior dev and Claude code should be able to do it in a day
I logged in with Google originally but then enabled a password thinking that might be needed to enable 2fa. There's no way to remove that so now I've got that liability - not impressed
ambitious-aqua•7d ago
The recommended path is to use an IdP and use 2FA at that level since they support stronger 2FA methods that are generally safer than standard TOTPs.
For the password removal, are you not able to
x out the email in sign-in methods in your account settings?