Two-Factor Authentication (2FA) is coming to JoMo. Soon, users will be able to enjoy enhanced security and better protection. This will come as part of a suite of security changes we’ll be making, but without a doubt the most significant for the user. That said, what is 2FA? How does it work, and why is it important? Let’s talk about it.
What is 2FA?
Two-factor authentication, is a fairly straightforward security measure which, unlike a standard username/password combo, requires a secondary method of authentication as an extra security layer. This means that a user would need not just a standard password, but some secondary, separate method of getting what is essentially a second password. This tends to be a code acquired through a mobile device. It tends to be setup with SMS, or an authenticator app, sometimes even biometrics. This method has to be different to the initial setup – no using two passwords for this! By having this secondary authentication method, a user won’t lose control of their account if their main password is compromised.
How does 2FA work?
When a user sets up 2FA they will be asked to add a secondary method of authentication. Depending on the application requesting this the user might have a variety of options to choose from. Authentication methods vary from simple knowledge factor authentication, such as a PIN number or a password, to more complex implementations like biometric data (fingerprint/facial scans). There are additional methods which can be used, such as geographical data but this is niche. By combining these different methods, we create extra layers of security for the user.
In JoMo’s case, we’ve decided to go with a combination of password login and the timed authenticator method. Through an authenticator app the user will be given a secret, timed code, which randomizes every 30 seconds. This secret code is paired with a special key attached to each different user, so the key can only be accessed from the authenticator app specified during setup.
The flow is pretty simple; when the user first logs in to their admin panel they will be asked to setup a new authenticator app. This means scanning a QR code with their app, or using the provided code. We then generate a new secret key for the user. The user is prompted to input the code being displayed on their authenticator, and if they succeed, the secret is saved against their account. To avoid any errors, we don’t save the key against the user until they’ve proved it works on their device.
And that’s it! Now, whenever the user logins to the admin panel they will be asked to input their code after inputting their username and password, and proceed to the admin panel.