2FA for Logins to AuthRocket

We recently announced initial availability of two-factor authentication (2FA), also referred to as multi-factor authentication (MFA).

As you might guess, we use AuthRocket itself to handle AuthRocket logins. So, with the new general 2FA support, we're now pleased to add the ability to protect your own AuthRocket login with 2FA.

To get started, make sure you have a compatible app on your mobile device. There are many free ones. Google Authenticator is one popular choice and is available on both iOS and Android.

Then login to AuthRocket, click on your name in the upper right and go to Profile/Password/2FA -> Two-factor authentication.

Please don't hesitate to reach out to us with any questions or concerns.

Two-factor authentication

One of the most common requests we've heard from customers lately is for two-factor or multi-factor authentication (2FA and MFA, respectively).

Today we're happy to announce the beta availability of 2FA.

Background

There are two common types of two-factor auth: TOTP and SMS.

TOTP stands for Time-based One-Time Password, and is a published standard used by many apps and services, including Google Authenticator and MS Authenticator. It requires an authentication app to be installed on a user's device, most commonly their mobile phone.

After entering their username and password, the user loads the app, obtains a 6-digit code valid at just that moment in time, and submits it as part of the login process.

It's simple and quite secure.

SMS, or text messages, is the other option, whereby at the time of login a random code--also often 6-digits--is sent out-of-band to the user. Technically this could be any out-of-band communication, such as email or a phone call, but SMS is most common.

This requires having the user's phone number and that the user is within their service area. Both poor reception and travel/roaming can block the code from being received and prevent a login. Additionally, for international users, it's sometimes difficult to send SMS messages to certain countries.

In contrast, TOTP relies only on having the device present. No service is required.

At this time we are only supporting TOTP. AuthRocket's 2FA support is compatible with Google Authenticator and most other authenticator apps. Many of these apps are available for free and they are available on virtually every platform, making things easy and accessible for your users.

Enabling Two-factor Auth

Enabling 2FA is super quick. Just go to Realm Settings -> Auth Providers -> 2FA: TOTP and click Add.

Once 2FA is enabled, it's just a matter of enrolling each user. That may be done through our expanded Credentials API or performed administratively through the management portal.

Two-factor logins work automatically with LoginRocket. If you're using authrocket.js or the AuthRocket API directly, minor changes are needed.

Full details may be found in our 2FA documentation.

As always, if you have questions or need any help along the way, reach out to us.

JWT signing: HS256 vs. RS256

With the goal of increasing flexibility for our customers, AuthRocket has added support for JWT signing using the RS256 asymmetric algorithm. We've always offered the HS256 symmetric algorithm, which remains the default.

What's the difference?

HS256 is a symmetric algorithm, meaning there is one secret key shared between AuthRocket and the recipient of the token. The same key is used to both create the signature and to validate it. This key must be kept secret at all times.

If you are developing the app that is receiving the tokens, then you should use HS256. It is more secure, faster, and the token is smaller.

RS256 is an asymmetric algorithm, meaning it uses a public/private key pair. AuthRocket uses the private key for signing and provides you the public key to use to validate the signature.

If you don't have control over the app/client receiving the tokens, then RS256 is a good choice. The key can be used in a browser or mobile app, doesn't have to be secure, and can be shared without compromising security.

We still recommend using a symmetric algorithm any time it's possible since it produces smaller tokens and signs faster. Accordingly, HS256 remains the default, but now you have an alternative for when HS256 isn't right for you.

Details here.

Having trouble deciding which is best for your app?  Tell us a little about your project.  We'd love to help.

New Social Provider: Slack

By now, just about everyone that uses a computer for work, even if only a little bit, is familiar with Slack.  At AuthRocket, we love Slack.  Our team uses it daily for quick communication, sharing notes and screenshots on current projects, and to scour the web for useful industry information.

Odds are you use Slack and it's likely your customers do too.

So we've added Slack to our Social Login provider list.  If you want your users to be able to login to your app using their Slack credentials, you can accomplish that in extremely short order.

All it takes to make it work for your app: Turn on Slack as an auth provider within the AuthRocket UI and visit Slack for a few minutes of setup.

See the details here.

Need help with Social Login?  Tell us what you're up to.  We'd love to help.

AuthRocket Dashboard

Many of the important new features we add are found in the background of AuthRocket.  They have included behavioral changes, streamlines to the UI, ways to make integration even easier, and more.

This update, however, is front and center.  In fact, if you have logged into the AuthRocket UI in the last few days, then you've already seen it.

For those that haven't, we've introduced some helpful metrics to your Realm dashboard.  Realms are versatile containers that hold your Users and groups (Orgs).  Most often, our customers use a Realm to hold an entire app.

Your new Realm dashboard looks like this:

It includes total logins, users created (New User signups, plus Users added via app backend), and failed logins.  We've also included a handy pie graph of the types of Logins: Passwords, Social Logins by provider, etc.

All of this is intended to help you better understand the way your app is being used and to use that understanding to better interact with your Users--perhaps by using User login Events to trigger actions.

A few notes on Events

Every time a User logs into your app, a unique Event is created in AuthRocket.  These Events can be used to trigger actions.

Maybe you'd like to trigger a welcome email to a newly registered User.  Or perhaps in a high-security environment, you want to validate a new User via email.  Because of the way AuthRocket creates and uses Events, you can knock out chores like these in minutes without writing code--all you have to do is turn them on and do a little basic config in the AuthRocket UI.

So Events allow us to deliver important User data to your Realm dashboard and to trigger useful interactions, both with the goal of better User understanding and engagement.

Questions about Events?  Comments?  Drop us a line.