This is related to the current offering of 2FA within Icedrive, and from what I’ve read on this forum, same issues has been highlighted for number of months!
2FA is very important part of account security and as such I would hope it works, or at least better than current.
My issues:
You can only setup one method of 2FA.
FIDO/U2F does not work, API has not been updated to allow with new browsers, this is available and could be fixed.
Suggestions: 1. Allow more than one method of 2FA to be setup and active. 2. 1. If someone loses there phone / access to authenticator etc or just does not have it to hand, they should be able to use FIDO or SMS. 3. If you have FIDO/U2F, then there needs to be option to have more than one key registered. 4. Need ability to have two-factor authentication recovery codes
As this is to do with account security, can we have some meaningful reply on when this will be fixed please ?
For the reasons you’ve given Icedrive is not a credible product. I tried engaging with them but clearly they either don’t understand or don’t have the resources to fix.
I’ve given them the link to the updated API for sorting out FIDO/U2F for Yubikeys, so fingers crossed they will fix that quickly. But is pointless fixing if they also do not support more than one key, more than one 2FA and recovery keys. Too risky otherwise.
I’ve got remainder of month to see what happens, but can’t stay if the account security is not there.
Very lucky there, to be still logged in on other device.
They did reply to a ticket of mine stating looking at 2FA for a future update, but then they said it would be in “next few months”. Not good, something like 2FA can be fixed faster and released, do not need to wait for other features. Fix the security of account first, that is the important part.
FIDO/U2F option still not available despite it being 7 months since this topic was opened. Was hardware based authentication available as an option on IceDrive before? Also, I couldn’t find any history of other simultaneously logged in devices on the web page. I assume it would be good if a user could see where he/she is logged in at the current, be it any other browser or mobile apps.
As you can see in the first post in this thread, hardware based auth was indeed offered previously. However, there were a few flaws:
on web, it was implemented using an old API so it stopped working at some point as browsers were updated
it was possible to select only a single 2FA mode; if you chose a HW key, a single key could have been added with no option for a fallback should you lose the key (huge red flag)
