Although you probably have heard of Two Factor Authentication or 2FA, let’s go over the basics anyway.
Authentication is tricky these days. At least once every two months, I’ve seen reports on data breaches, where usernames and (hashed or encrypted and sometimes plaintext) passwords got stolen.
Now, of course, having a strong password is a very good idea.
But passwords still get stolen. Or reused even. 2FA is about a second form of authentication. After entering your username and password, you might receive a text message on your phone. Or have to launch a 2FA app, which will give you a code to enter for the second authentication. Or if you’re like me, you have a Yubikey. This is a separate piece of hardware that will perform the authentication via a more complex Secure Hash Algorithm back-and-forward check with the service you are trying to access.
What’s so great about 2FA is that it’s cheap. Sure, you could use your fingerprint reader, but how safe is that?
I can hear you say “yes, but having my fingerprint is harder to steal”. But is it? What do you do when you go to the toilet? You grab your phone and lock your computer. With a password and 2FA enabled, nobody can unlock those secrets in your email, even though they have your password. This renders the fingerprint reader unusable immediately, because while you’re browsing Reddit on the toilet, your fingerprint is on the coffee mug next to your keyboard while your phone is with you on the toilet.
Luckily, most people that are interested in hacking your account are not those around you, but those far away. But that doesn’t mean you shouldn’t care about the security of your hardware. (Always lock your computer. Always log out on public computers.)
At SilverStripe, we have a lot of passion for our work. But the biggest pitfall is always security. Even though we have a lot of very security minded people here, we still fail sometimes. Because failure is always an option.
Obviously, we respond as quickly as humanly possible to these security issues. But at some point, the human factor starts to weigh in. What can you do about a user of your website having a weak password? Or even worse, someone with CMS access using 123456 as a password?
You only find out after the whole website of your client got defaced. Or worse, personal information is out in the open.
Sidenote: How to make your co-workers aware of phishing
An interesting experiment to run is setting up your own fake website to reset the user passwords, and asking them to enter their old and new password.
Then send out your own spam email from a non-company account to your office and see how many of your colleagues follow the instructions. Please don’t actually store the passwords.
Bonus points if you set up Let’s Encrypt and point out that the lock icon is green.
Show information about phishing or send an automated email to the person that clicks the link in the email. After they entered their old and new password. And of course, strength indication of the given passwords.
And also be amazed at how many people will blindly trust “you”.
As a developer, you’ll have to deal with these kinds of things on a regular basis. You have to deal with CMS users that do care, but don’t know how to do it better, or just think their standard password, written on a sticky note stuck to their monitor, is safe*.
Implementing 2FA is the best solution available to all those issues, as it requires a user to pro-actively do something, like grabbing their phone or key, to continue the login process. A minor inconvenience maybe, but for the greater good of security. Something you know, plus something you have.
I strongly suggest not using text messages for 2FA. As text messages can be intercepted quite easily. An authentication app or Yubikey is the preferred method.
You can have a look at it at SilverStripe module on GitHub.
Security can literally save lives. Remember that when you are encountering a security issue.
*: To be fair, nobody has ever hacked half a billion sticky notes from computer monitors.