I’m a bit concerned about security by only having the keychain-phrase as security for my account with all the private notes. Once somebody saw my phrase or the QR-code the other person would have access to everything. Especially if Anytype will become an “Operating System”.
Therefore I would like to have the possibility to add a second layer of security with TOTP or/and FIDO2. I think that this is a must-have-feature.
And till this is implemented some sort of notification would be nice to get if someone entered the sync-chain.
Absolute common sense.
Even if 2FA with an additional password is too technically complicated to implement with Anytype’s current architecture, a notification and an option to manually approve/kick devices off the sync chain is an absolute must for the near future. This could work in a similar fashion to how Syncthing, a file synchronization application works, where every device must be manually approved in order for it to start receiving data.
After all, the same basic cryptography that protects our Anytype accounts is the same ones that is protecting hundreds of millions of dollars worth of cryptocurrency.
I would also be hesitant to store certain kinds of information in anytype without MFA.
I think this feature is amazing! However, I noticed that the post was made in November 2021. I’m curious if there are any updates on the roadmap regarding this matter?
Unfortunately no. I don’t think so. Security doesn’t seem to be important for the Anytype-developers. Until his changes, I personally would not use Anytype as my private notebook. I simply want my notes to be private.
It seems like right now, we have a different architecture from when you comment, right? If so, maybe now it is more available to create this feature.
This seems like a very odd comment to me. The goal of the project is local first (i.e. under your control), transmission is E2E encrypted and the only way in is a long and complex passphrase. The manifesto from the earliest days talks about the need to give you secure control over your data, and release you from dependency on cloud services managed by others.
Of course there’s always something else to be done to keep data secure, and I don’t object top 2FA/MFA.
But to say the security’s not important to the AT team? That, as I say, seems odd.
I admit that my comment was somewhat exaggerated. Nevertheless, I think that nowadays it is no longer sufficient to use ONE (albeit long) secret as the key to an account. If it were at least possible to be informed about ongoing sessions, it would still be possible to react without a second factor, or to ensure in the first place that no other person has access to the account.
I find it strange that the Anytype team did not react or comment on my suggestion, even though I took part in the alpha program relatively early and therefore the activity in the forum was not yet so pronounced. I participated in the alpha program in order to express constructive criticism and to help the team improve the program.
Apparently, however, this has come to nothing.
It is always hard to communicate in text chats, but I understand your point. I feel that to be “read to use” is missing this security layer.
But I’m not sure how hard it is to get it done.
Anyway, I found your feature request because I have the same need.
I think it depends on the level of security you think you need. If your needs are more than can be handled by a single passphrase, then, yes, that’s a fair point.
It’s worth emphasising, though, that Anytype’s promise was local first - the idea was that, if you keep your data locally, you get to manage all the security yourself, to whatever level you require. That’s not an objection to additional security layers, but it might go some way to explain why they haven’t (so far) prioritised additional security features.
Let’s not forget that their main focus has had to be a robust basic feature set. Let’s not also forget that this is still beta and so still under heavy development.
As I understood it in the onboarding, Anytype wants to be much more than just a digital notebook. I remember the term operating system being used. If Anytype is really going to become the central point where the whole life is aligned and organized, I think it is a necessity not to rely on only one factor. And that is for every user. At most, an opt-out would be an option for me.
Don’t get me wrong. I am not criticizing that the proposal has not been implemented yet. If there are other priorities than mine, that’s fine for now. However, I would like some feedback from the team that the suggestion has been noticed. E.g. the tag “acknowledged” for my feature request or a simple answer that it was noticed, but it is not currently high prioritized.
I’m just personally not comfortable storing all my data where someone can get to it unnoticed, just by getting the couple words or QR code. For this reason, I won’t be using Anytype as much as I would like to.
It was, but I think it’s been superseded. It confused people because it wasn’t clear what the term meant in practical use.
I’d agree with that - I’m not sure that that’s where Anytype will. end up, but time will tell. In any case, provide users have control over security layers, there’s no rational objection to having more than one.
A reasonable request
Not having 2FA/MFA in 2023 is not an option. Definitely for an app that is going for privacy and security. It will get implemented for sure, just depends when.
This is an interesting topics guys, how do you think 2FA could be implemented in Anytype, using the app? Remember that you are not using any email to get an account.
I would think a hardware key like FIDO2 is the best way 
. Alternatively, like OP suggested, TOTP could work as well. Finally, Anytype could use the mobile app itself as second factor when working on Desktop (and biometrics when working on mobile), but I don’t know how secure that would be.
No email address or other personal details needed.
Yep, I was thinking about this and I love the idea!
Even better if the app will have biometric protection 
An option for an email could be provided if you wanted to use that for 2FA. TOTP is also a very good option for an option.
Hey guys! I like the request, but I somehow question whether this is technically possible to implement with the local-first approach of Anytype. There might be a way to increase login security, but I doubt 2FA will work here.
Remember that the account in Anytype is built on similar technology to most crypto wallets - a 12-word mnemonic is sufficient to prove ownership. Anytype is built on the idea that users are sovereign, and there should be no centralized entity that can restrict access. Think about it! Users control their keys, sync works peer-to-peer, etc. From my perspective, their nodes do not allow a centralized authentication method, which would be necessary for 2FA.
That’s why I don’t see that feature being implemented in the near future. Maybe the developers can comment on that. 
If you still want to use Anytype cloud storage, 2FA should be an option.
Otherwise, as it is local first, you as a user should be the one to come with your own security mesures.