Two-factor authentication

One of the most common requests we've heard from customers lately is for two-factor or multi-factor authentication (2FA and MFA, respectively).

Today we're happy to announce the beta availability of 2FA.

Background

There are two common types of two-factor auth: TOTP and SMS.

TOTP stands for Time-based One-Time Password, and is a published standard used by many apps and services, including Google Authenticator and MS Authenticator. It requires an authentication app to be installed on a user's device, most commonly their mobile phone.

After entering their username and password, the user loads the app, obtains a 6-digit code valid at just that moment in time, and submits it as part of the login process.

It's simple and quite secure.

SMS, or text messages, is the other option, whereby at the time of login a random code--also often 6-digits--is sent out-of-band to the user. Technically this could be any out-of-band communication, such as email or a phone call, but SMS is most common.

This requires having the user's phone number and that the user is within their service area. Both poor reception and travel/roaming can block the code from being received and prevent a login. Additionally, for international users, it's sometimes difficult to send SMS messages to certain countries.

In contrast, TOTP relies only on having the device present. No service is required.

At this time we are only supporting TOTP. AuthRocket's 2FA support is compatible with Google Authenticator and most other authenticator apps. Many of these apps are available for free and they are available on virtually every platform, making things easy and accessible for your users.

Enabling Two-factor Auth

Enabling 2FA is super quick. Just go to Realm Settings -> Auth Providers -> 2FA: TOTP and click Add.

Once 2FA is enabled, it's just a matter of enrolling each user. That may be done through our expanded Credentials API or performed administratively through the management portal.

Two-factor logins work automatically with LoginRocket. If you're using authrocket.js or the AuthRocket API directly, minor changes are needed.

Full details may be found in our 2FA documentation.

As always, if you have questions or need any help along the way, reach out to us.