Greasy Fork

Greasy Fork now supports enabling two-factor authentication (2FA) on user accounts that log in with an email and password. This provides additional security by requiring entry of a verification code from an app like Google Authenticator or Authy when logging in.

To enable, visit your profile and click Edit sign in methods, and click Enable 2FA. (If you don't see that button, that probably means your account is not using a password-based login, which is perfectly fine and secure.)

This is currently entirely optional. In the future, the site may eventually suggest, recommend, or perhaps even require 2FA for password-based login for script authors.

Let me know if you have any questions, comments, or suggestions.

I don't like being forced to do 2fa. While it may be more secure, I'd rather just do an email code since I'm almost always logged into my email (it's just one tab away.
Github forced 2fa on everyone, so I just deleted my account and switched to another service.

Anyway, is it possible for me to remove the password here from my account and switch to login with google account or whatever?

Anyway, is it possible for me to remove the password here from my account and switch to login with google account or whatever?

Yes, after you add the external sign in on the "Edit sign in methods" page, you will get an option to remove your password.

And to reiterate, the potential future suggestion/recommendation/requirement for 2FA will only be for script authors who use password logins. If you use Google/GitHub/GitLab, or if you haven't posted any scripts, you will be unaffected.

All script authors with a password who registered after Jan 22, 2025 will now have to enable 2FA before they can post scripts. Alternatively, they can use an external login method and remove their password.

In addition to all users who registered after Jan 22, 2025, now all users who registered before this date and have not yet posted a script will be required to enable 2FA or use external logins if they wish to post a script.

I strongly recommend all script authors make this change. It will become mandatory soon.

Might wanna enforce it also when posting a comment with a link in the forum. Currently there's like a hundred of spammers daily, 10-20 of which get past akismet and actually post ads.

P.S. At least when posting in the non-script forums (GF feedback, development) as it's where 99.9% of spam goes.

I personally do not protest 2FA, but since GF requires re-login every few months, it would be too tedious to enter 2FA code every time that happens. Is a "remember me" option that keeps you logined forever possible?

Might wanna enforce it also when posting a comment with a link in the forum. Currently there's like a hundred of spammers daily, 10-20 of which get past akismet and actually post ads.

I don't think 2FA is an effective anti-spam tool. It's an extra step, but it's pretty easily done.

I have added some additional checking for the spam that's coming in now, and will make more changes to deal with it.

I personally do not protest 2FA, but since GF requires re-login every few months, it would be too tedious to enter 2FA code every time that happens. Is a "remember me" option that keeps you logined forever possible?

It looks like the behaviour was that your session timed out after 2 weeks even if you chose "remember me". I've made an adjustment to the settings so that if you choose "remember me", it now resets the 2 week timer. This should keep you logged in, assuming you visit the site at least once every 2 weeks.

All users who have logged in in 2025 are now required to enable 2FA (or use only external logins) to post or update scripts.

I found an issue as follow:

1. keep login in normal browser window.
2. open a private window
3. in the private window, go to greasyfork.org and login
4. in the private window, logout
5. refresh/navigate in normal browser window -> already logged out ???

Is it intended to log out all other sessions?

This is not related to 2FA, but yes that it is intended. There is only one session per user, and logging out terminates it to prevent a session termination vulnerability (where if someone got ahold of your cookie, they could still access your account after you had logged out).

An alternative, more complicated solution would be to support multiple sessions per user, each of which could be terminated separately, but this is not supported by Devise (the auth framework Greasy Fork uses) out of the box.

2FA is required on your account when using password-based logins. You can regenerate your 2FA code if you have lost it.

Assuming I have (been) logged out on all devices, and I have lost the device with my 2FA. How would I be able to log in to regenerate a 2FA code if there's no backup mechanism like recovery codes, or one-time codes sent to the account's email?

How would I be able to log in to regenerate a 2FA code if there's no backup mechanism like recovery codes, or one-time codes sent to the account's email?

When you complete a password reset, you will be logged in to your account without a 2FA challenge. From there, you can regenerate the 2FA code.

This is a balance between security and usability. It means that if your email is compromised, your Greasy Fork account is also compromised, but it also means you can't lock yourself out like you can with GitHub.

Are there any plans to support the FIDO WebAuthn Passkey login method in the future?

Are there any plans to support the FIDO WebAuthn Passkey login method in the future?

Not currently, no. This is the first I've ever heard of it, and it would need to become more popular for me to consider. I would also need a stable Ruby implementation.