Upcoming Feature/Poll: Which second factor of 2FA is your favorite? Cast your vote now!

Zammad’s vision for the future is to become the most used helpdesk tool in the world, creating a customer service environment where support is enjoyable for everyone involved - customers, agents, companies and IT teams. Where there is a vision, there is also a path, but also hurdles to overcome. In our digital age, one of the most prevalent challenges we face is data theft, and it is crucial for Zammad to stay one step ahead of these malicious operators. That is why the implementation of two-factor authentication (2FA) is one of our top priorities for the next release.

With 2FA, we want to further strengthen the security of Zammad accounts by introducing an additional layer of verification beyond the password. It requires two different types of authentication factors, typically something the user knows (like a password) and something the user has (like a mobile device or security token). This ensures that only authorized people can access the account and that your data is protected in the best possible way.

We would like to hear your opinion on 2FA. Which second factor would you personally prefer? Please take a vote and/or leave a comment.

  • Authenticator app
  • WebAuthn
  • SMS
  • Email
  • Others (please comment below)
0 voters

Short explanation of the choices:

  • Authenticator app such as Google Authenticator or Authy: the app generates a unique one-time password which enables 2FA for the user’s account.
  • WebAuthn: is a Web Authentication API which supports e. g. hardware tokens like YubiKey.
  • SMS: an SMS is sent out to the user which contains an one-time password.
  • Email: an email with a one-time password that expires after a certain amount of time is sent out to the email address stored in the user record.
3 Likes

At the moment an authenticator app would be my preferred method. For the future a WebAuthn method would also be nice.

Looking forward to this next level of security :+1:

5 Likes

While I think Authenticator app is the most important to support as far as immediate impact goes - WebAuthn is ‘the future’ and any new implementations, like this, should really support it.

FWIW SMS is disallowed in our environment, WebAuthn encouraged, and Authenticator App the most common/minimum.

It would be great if you could support multiple with the setting over which to enable. And the icing on the cake would be adapting the policy depending on role - e.g. Administrators must use WebAuthn, Agents must use Authenticator or WebAuthn, Client use of 2FA is optional

5 Likes

:pray: Thank you for each vote and comment. We greatly appreciate your feedback and are pleased to see that our perspective on the importance of the 2FA aligns with yours. We’re excited to share that this great feature will be making its debut in the upcoming release just a few weeks from now. :tada:

2 Likes