As a security measure, we have switched all users to login using secret codes sent via email. We understand this might be confusing and inconvenient, and we’re sorry.
We made this change to protect users who do not use secure passwords from a common attack called credential stuffing, which was recently attempted against Workflowy. If you use a password manager and prefer passwords, you can easily switch back to a password here.
Also, some logged in users are reporting trouble logging in after this change, but it seems to be resolving itself after reloading.
If you have any problems not addressed above, please email help@workflowy.com and we will address your problems ASAP.
To bad I can’t login because the code does not arrive.
Also, I found a bug: If someone shares an Item with you, clicking the Link from that E-Mail is enough. The one-time code is not needed in this case.
The switch back to password option link doesn’t work
As much as we appreciate this, it does not even remotely replace 2FA! We’ve been waiting for two-factor authentication for years and we hope it is on top of your pipeline, especially given the latest developments!
Appreciate the tightened security. Thanks Jesse!
Yeap, this explains why my old Workflowy Chrome app finally stopped working 🙂 I am still surprised that I was able to use the old version for so long despite all the changes that were made. I really like all new changes but there was one hidden feature in the old app that kept me from moving to the latest version – the ability to turn off the animations. There was a nice flag called NO_ANIMATIONS. @Jesse – Do you think it would be possible to add this feature to the current version of the app? Even if only from the code level.
Hello and thanks for the update.
While I agree with the measures taken, the email I received to inform me of this had deep links in the 3 urls presented while the blog above shows the urls correctly and informs the user where they are being sent.
I feel that this is worth pointing out as a user does not know where they are being sent in the email very clearly, presenting the information clearly and transparently is important otherwise it looks like it could be a malicious email. I’d be interested to hear your/other opinions about this or if I am mistaken. Best regards.
Indeed, the links in the mail made me suspicous too
GREAT ! Thanks for this! Works fine on my end. I’ve been using a password manager myself, but I really like this change and will keep it. I appreciate your taking the time and care to provide this new solution based on the recent attacks.