Streamlined Rails integration

We just released an updated Ruby gem for AuthRocket that includes a much streamlined integration experience when using Rails.

Before, using Rails required some degree of setting up controllers, actions, and helpers to glue everything together. Now, all that's done for you.

This new behavior is opt-in, so nothing breaks for existing apps. It can be enabled by simply customizing require when adding the gem to your Gemfile.

gem 'authrocket', require: 'authrocket/rails'

More details are in our Ruby on Rails integration guide.

As always, we're here for you if you have questions.

2FA for Logins to AuthRocket

We recently announced initial availability of two-factor authentication (2FA), also referred to as multi-factor authentication (MFA).

As you might guess, we use AuthRocket itself to handle AuthRocket logins. So, with the new general 2FA support, we're now pleased to add the ability to protect your own AuthRocket login with 2FA.

To get started, make sure you have a compatible app on your mobile device. There are many free ones. Google Authenticator is one popular choice and is available on both iOS and Android.

Then login to AuthRocket, click on your name in the upper right and go to Profile/Password/2FA -> Two-factor authentication.

Please don't hesitate to reach out to us with any questions or concerns.

Two-factor authentication

One of the most common requests we've heard from customers lately is for two-factor or multi-factor authentication (2FA and MFA, respectively).

Today we're happy to announce the beta availability of 2FA.


There are two common types of two-factor auth: TOTP and SMS.

TOTP stands for Time-based One-Time Password, and is a published standard used by many apps and services, including Google Authenticator and MS Authenticator. It requires an authentication app to be installed on a user's device, most commonly their mobile phone.

After entering their username and password, the user loads the app, obtains a 6-digit code valid at just that moment in time, and submits it as part of the login process.

It's simple and quite secure.

SMS, or text messages, is the other option, whereby at the time of login a random code--also often 6-digits--is sent out-of-band to the user. Technically this could be any out-of-band communication, such as email or a phone call, but SMS is most common.

This requires having the user's phone number and that the user is within their service area. Both poor reception and travel/roaming can block the code from being received and prevent a login. Additionally, for international users, it's sometimes difficult to send SMS messages to certain countries.

In contrast, TOTP relies only on having the device present. No service is required.

At this time we are only supporting TOTP. AuthRocket's 2FA support is compatible with Google Authenticator and most other authenticator apps. Many of these apps are available for free and they are available on virtually every platform, making things easy and accessible for your users.

Enabling Two-factor Auth

Enabling 2FA is super quick. Just go to Realm Settings -> Auth Providers -> 2FA: TOTP and click Add.

Once 2FA is enabled, it's just a matter of enrolling each user. That may be done through our expanded Credentials API or performed administratively through the management portal.

Two-factor logins work automatically with LoginRocket. If you're using authrocket.js or the AuthRocket API directly, minor changes are needed.

Full details may be found in our 2FA documentation.

As always, if you have questions or need any help along the way, reach out to us.

JWT signing: HS256 vs. RS256

With the goal of increasing flexibility for our customers, AuthRocket has added support for JWT signing using the RS256 asymmetric algorithm. We've always offered the HS256 symmetric algorithm, which remains the default.

What's the difference?

HS256 is a symmetric algorithm, meaning there is one secret key shared between AuthRocket and the recipient of the token. The same key is used to both create the signature and to validate it. This key must be kept secret at all times.

If you are developing the app that is receiving the tokens, then you should use HS256. It is more secure, faster, and the token is smaller.

RS256 is an asymmetric algorithm, meaning it uses a public/private key pair. AuthRocket uses the private key for signing and provides you the public key to use to validate the signature.

If you don't have control over the app/client receiving the tokens, then RS256 is a good choice. The key can be used in a browser or mobile app, doesn't have to be secure, and can be shared without compromising security.

We still recommend using a symmetric algorithm any time it's possible since it produces smaller tokens and signs faster. Accordingly, HS256 remains the default, but now you have an alternative for when HS256 isn't right for you.

Details here.

Having trouble deciding which is best for your app?  Tell us a little about your project.  We'd love to help.

New Social Provider: Slack

By now, just about everyone that uses a computer for work, even if only a little bit, is familiar with Slack.  At AuthRocket, we love Slack.  Our team uses it daily for quick communication, sharing notes and screenshots on current projects, and to scour the web for useful industry information.

Odds are you use Slack and it's likely your customers do too.

So we've added Slack to our Social Login provider list.  If you want your users to be able to login to your app using their Slack credentials, you can accomplish that in extremely short order.

All it takes to make it work for your app: Turn on Slack as an auth provider within the AuthRocket UI and visit Slack for a few minutes of setup.

See the details here.

Need help with Social Login?  Tell us what you're up to.  We'd love to help.