Two factor authentication – upgrade your security

A while ago we introduced two factor authentication (2FA) to the agileBase platform, to improve data security. This helps to secure your account even in the case when you password is stolen, guessed or hacked.

We used SMS text messages to send codes to you when logging in from a new device or location, as this technology is widely used and understood. However, we now have an improved way of doing this using a two-factor app.

The main advantages of using an app are

• it’s more secure
• you don’t have to have phone reception to use it. That makes things like logging in from abroad easier
• it’s more reliable – the phone network can sometimes delay or block messages

How do I set this up?

Really easily. Just log in, click on your user icon at the top right of the screen and select ‘edit profile’, then tick ‘use two factor authentication. A three step wizard will take you through the process.

In brief:

1. Download an authenticator app if you don’t already have one. Luckily the technology is all standard and interoperable. Any app which works for one service, such as agileBase, will also work for others like Google or Twitter, so you can manage 2FA for all your logins from one app.If you don’t have one yet, we recommend www.authy.com as they backup things for you so you’re not stuck if you lose your phone.
2. agileBase will show a QR code (barcode) to scan. From your authenticator app, press the plus button or choose ‘add account’.
3. That’s it, your app will now show a code. To confirm everything’s working, you’ll be asked to enter the code shown.

Why’s that again?

If unconvinced that setting up 2FA is a really good idea, here are a couple of cases to highlight:

Russia hacked the Clinton campaign in large part because John Podesta didn’t bother to turn on two-factor authentication

Bitcoin users who lacked 2FA have been hacked

Administrator notes

As an administrator, you can’t set up two factor for someone – the user has to do that themselves as they need their own personal phone or device. However, if something goes wrong, such as their phone breaks or is lost, you can disable it for them. In the settings for a user with 2FA enabled, you’ll be able to un-tick the option.

A word of warning – as the administrator, you are responsible for data security in that situation. Two factor authentication is of no use if a hacker can just contact an administrator and request it be turned off for a particular user. Please follow your internal procedures and at least use common sense, e.g. if you know the user well, speak to them  rather than rely on an email.