Area Impacted:

All

Request Summary: 

Add two-factor authentication for logging in to Stison

Description/Use Cases: 

Two-factor authentication is widely considered a minimum baseline security mechanism for any password-based system containing sensitive/confidential information. It would be great to see this added to Stison to protect author PII and other commercially-sensitive data. Either emailed codes or TOTP would be appropriate. It should be possible for an admin to mandate 2FA for all staff.

Impact of limitation or missing feature:

Staff accounts and the data contained within are vulnerable to brute-force attacks or password reuse.

Other necessary information or resources:

Stison is the only system we use that is not protected by 2FA or equivalent.