Promoting Two Factor Authentication

As part of our continuing drive to improve the security of data stored in agileBase, we’re taking another step in the push to promote two factor authentication to all users.

This post is for system administrators who support agileBase users, to give you information about what’s happening. If you’d like more background information on what 2FA is and why it’s important before reading on, please see this blog post from Auth0: https://auth0.com/blog/why-every-business-needs-two-factor-authentication-security/

We introduced basic SMS based 2FA way back in 2015. Since then, app-based 2FA has been added using the industry standard Time-based One-Time Password (TOTP) algorithm, meaning that it’s compatible with the vast majority of authenticator apps out there, such as Google Authenticator, Microsoft Authenticator or Authy. This time last year, 2FA was made mandatory for anyone with system administration privileges.

We’re now trying to encourage ‘normal’ users to adopt 2FA as well as administrators and we’d really appreciate your help with this. Here’s a quick Q&A to get you up to speed:

What will users see?

Any users who haven’t yet turned on 2FA will see a prompt on the homepage once a week, on Mondays (also on weekends if they log on then). It looks like this:

How can I make things easy for users?

We’ve created a simple page and video for users to give them more information and help them set up, here: https://agilechilli.com/help-centre/agilebase/account-settings-agilebase/how-to-set-up-two-factor-authentication-2fa/

We’d love it if you can share this with your users and help them set up 2FA. If everyone activates it, it will be a big step in increasing the protection of your company data and hopefully will help your peace of mind!

Is 2FA now mandatory?

No it’s not. We would like to make this ‘on by default’ at some point in the future but we realise that it may need some extra work, for example to allow administrators to opt-out people at their discretion. Until then, users will sometimes receive a prompt when logging in but can cross it off.

What if a user has no smartphone?

If someone doesn’t have a compatible smartphone, or can’t/doesn’t want to use it for work purposes, that’s fine. You can run a 2FA app on the computer itself. One of the easiest options is probably this open source Google Chrome plugin: https://authenticator.cc/

It may even be that this is your preferred method – it can be more convenient in day to day use, though initial setup can arguably slightly more complex than taking a photo of the QR code with a phone.

What happens if a user loses or gets a new phone?

Some 2FA apps like Authy save settings online so all they need to do is re-install the app. However with others (like Google Authenticator), if you get a new phone, you have to set up 2FA again. When this happens, all the administrator has to do is un-tick ‘Enable two factor authentication’ in the user’s settings, then the user can set it up again. The user can also un-tick and re-tick this themselves to set up (as long as they can log in).

My users already use a 2FA app for other software, can they re-use that?

Yes, agileBase is compatible with the industry standard (TOTP) and all apps allow codes for multiple accounts to be added, so if a user already has an app such as Google Authenticator, Microsoft Authenticator, Duo Mobile or Authy, that can be used. Apps can also be used for multiple agileBase accounts if a user has more than one login username.

We have lots of users – how can we reduce setup time?

Since adoption is not yet mandatory, you may want to adopt a tactic such as only doing a few at a time, in cohorts for example, or training other key users in your organisation to help.

There is another option – by entering the user’s mobile phone number into their account settings, agileBase will use SMS text message codes for 2FA, so the user doesn’t have to set up 2FA themselves.

However please be aware this may result in a greater support burden yourself and potentially frustrated users. We’ve had reports that some phone networks don’t always send the codes through in a timely manner (or sometimes at all), resulting in users who are locked out. Another consideration is that text messages are less secure, vulnerable to the SIM-swap vulnerability. If it’s important to keep your company’s data safe, we strongly recommend using app-based 2FA.

Thanks for your support in helping to improve everyone’s data security.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s