2FA goes GA

Pardon the acronym soup! Today we're officially announcing the general availability (GA) of two-factor authentication (2FA).

This marks the end of the beta period. If you were holding out on 2FA due to the beta status, we invite you to take another look now that the beta is over.

Since we wrote all about two-factor authentication back when the beta started, we won't repeat ourselves. Be sure to read that post if you missed it previously.

We'll also remind you that AuthRocket itself added 2FA a few months back. We definitely encourage you to enable 2FA for your login if you haven't already. You'll need a compatible app on your mobile device (Google Authenticator, MS Authenticator, and many others all work just great). Then login and go to Profile -> Two-factor authentication to get started.

Please give us a shout if you have any questions. We'd love to hear from you.

Streamlined Rails integration

We just released an updated Ruby gem for AuthRocket that includes a much streamlined integration experience when using Rails.

Before, using Rails required some degree of setting up controllers, actions, and helpers to glue everything together. Now, all that's done for you.

This new behavior is opt-in, so nothing breaks for existing apps. It can be enabled by simply customizing require when adding the gem to your Gemfile.

gem 'authrocket', require: 'authrocket/rails'

More details are in our Ruby on Rails integration guide.

As always, we're here for you if you have questions.

2FA for Logins to AuthRocket

We recently announced initial availability of two-factor authentication (2FA), also referred to as multi-factor authentication (MFA).

As you might guess, we use AuthRocket itself to handle AuthRocket logins. So, with the new general 2FA support, we're now pleased to add the ability to protect your own AuthRocket login with 2FA.

To get started, make sure you have a compatible app on your mobile device. There are many free ones. Google Authenticator is one popular choice and is available on both iOS and Android.

Then login to AuthRocket, click on your name in the upper right and go to Profile/Password/2FA -> Two-factor authentication.

Please don't hesitate to reach out to us with any questions or concerns.

Two-factor authentication

One of the most common requests we've heard from customers lately is for two-factor or multi-factor authentication (2FA and MFA, respectively).

Today we're happy to announce the beta availability of 2FA.


There are two common types of two-factor auth: TOTP and SMS.

TOTP stands for Time-based One-Time Password, and is a published standard used by many apps and services, including Google Authenticator and MS Authenticator. It requires an authentication app to be installed on a user's device, most commonly their mobile phone.

After entering their username and password, the user loads the app, obtains a 6-digit code valid at just that moment in time, and submits it as part of the login process.

It's simple and quite secure.

SMS, or text messages, is the other option, whereby at the time of login a random code--also often 6-digits--is sent out-of-band to the user. Technically this could be any out-of-band communication, such as email or a phone call, but SMS is most common.

This requires having the user's phone number and that the user is within their service area. Both poor reception and travel/roaming can block the code from being received and prevent a login. Additionally, for international users, it's sometimes difficult to send SMS messages to certain countries.

In contrast, TOTP relies only on having the device present. No service is required.

At this time we are only supporting TOTP. AuthRocket's 2FA support is compatible with Google Authenticator and most other authenticator apps. Many of these apps are available for free and they are available on virtually every platform, making things easy and accessible for your users.

Enabling Two-factor Auth

Enabling 2FA is super quick. Just go to Realm Settings -> Auth Providers -> 2FA: TOTP and click Add.

Once 2FA is enabled, it's just a matter of enrolling each user. That may be done through our expanded Credentials API or performed administratively through the management portal.

Two-factor logins work automatically with LoginRocket. If you're using authrocket.js or the AuthRocket API directly, minor changes are needed.

Full details may be found in our 2FA documentation.

As always, if you have questions or need any help along the way, reach out to us.

JWT signing: HS256 vs. RS256

With the goal of increasing flexibility for our customers, AuthRocket has added support for JWT signing using the RS256 asymmetric algorithm. We've always offered the HS256 symmetric algorithm, which remains the default.

What's the difference?

HS256 is a symmetric algorithm, meaning there is one secret key shared between AuthRocket and the recipient of the token. The same key is used to both create the signature and to validate it. This key must be kept secret at all times.

If you are developing the app that is receiving the tokens, then you should use HS256. It is more secure, faster, and the token is smaller.

RS256 is an asymmetric algorithm, meaning it uses a public/private key pair. AuthRocket uses the private key for signing and provides you the public key to use to validate the signature.

If you don't have control over the app/client receiving the tokens, then RS256 is a good choice. The key can be used in a browser or mobile app, doesn't have to be secure, and can be shared without compromising security.

We still recommend using a symmetric algorithm any time it's possible since it produces smaller tokens and signs faster. Accordingly, HS256 remains the default, but now you have an alternative for when HS256 isn't right for you.

Details here.

Having trouble deciding which is best for your app?  Tell us a little about your project.  We'd love to help.