Authy Blog

Two-Factor Auth for everyone

2012-08-02T00:00:00+00:00

More than a year ago I started working on an Android App to add two-factor authentication to a site I was working on. Since then Authy has changed dramatically to become a full platform that anyone can use to simply add two-factor authentication to their site or app.

We built Authy for ourselves. We wanted a two-factor authentication solution that would work accross sites, since we didn’t want to install and configure a new App for every site, that was simple to integrate and finally that would be self-serviced, so we didn’t need an IT department. Once we had the basics done, we decided to open he API to a few of our friends and they loved it.

This year things changed. We’ve witnessed how Linked-in, Last-FM, Linode and just this week Dropbox were hacked. Taking the lead Dropbox has now decided to enable two-factor authentication. Why haven’t other’s done so? Well it’s still very hard for the average site to do so. We wanted to change that, so we decided to open our API for everyone.

If you own a site or app and you care about your users, consider adding two-factor today. Do not wait until your users get hacked, that’s just irresponsible. And, if you are a user, demand two-factor authentication from the services you use. It’s in your hand’s to decide if you want to keep things the way they are or you want a future were your data is safe.

Follow-us on twitter: @authy

Hacker News Discussion

Add two-factor authentication to your ssh in 30 seconds.

2012-08-28T00:00:00+00:00

TL:DR: Jump to the bottom to see the video and install it using:

Installation.

$ curl 'https://raw.github.com/authy/authy-ssh/master/authy-ssh' -o authy-ssh
$ sudo bash authy-ssh install /usr/local/bin
$ sudo /usr/local/bin/authy-ssh enable `whoami` <your-email> <your-country-code> <your-cellphone>
$ authy-ssh test
$ sudo service ssh restart

We love SSH here at Authy. We use it for practically everything: git, remote shell’s access, deployment scripts and even pair programming.

However keeping it secure yet accessible for everyone turned out to be quite a challenge. At first we used X.509 certificates on authorized_keys and we instructed everyone to protect their private certificates with a password. However using multiple certificates each with a different password quickly became unmanageable. Reluctantly we resorted to a single certificate per user with a password. However this is far from ideal. If employee machine got hacked, the hacker could steal his certificate and easily use a keylogger to steal the password. And with the password and certificate in hand, he would have access to virtually everything (including our source code through git-ssh).

We looked for other possibilities, but they all looked like a lot of work. Finally we decided to reuse our API to add two-factor authentication to all of the machines. We hacked a quick bash script to connect to our API and used the SSH ForceCommand directive to run this script before each login. The script verifies the user token and if correct initiates the session. This meant that we could use multiple certificates again, but without requiring everyone to protect them with password’s. Best of all, if anyone stole a certificate they still wouldn’t be able to access any of the machines, as they would still require the One-Time-Password generated by the Authy App.

We knew we couldn’t be the only one who wanted this, so we made a new version that everyone can install in less than 30 seconds. Let us know if you find it as useful as we do. The whole source code is on Github: https://github.com/authy/authy-ssh. Feel free to fork it and modify it as you wish. We wrote it in bash because we hate compiling things and this meant it would run everywhere without special voodoo.

Also in the next few weeks we’ll be releasing our chef recipes we use internally, as well as some tips on how to scale this, so you can add it to 1 or 1 million machines. However if you can’t wait, it should be quite easy to quickly hack this version to fit your company needs. As always simply e-mail us to support@authy.com or join our campfire chat if you need help: https://authy.campfirenow.com/1c6c4

By the way, we made a small video you can see it in action, you can watch it below in full screen.

New website, plans and blog

2012-11-13T00:00:00+00:00

We just updated our website, our pricing and our blog.

First we cleaned up our index page and our demo to make them easier to understand/navigate. But perhaps the biggest change is our new plans and pricing.

We're committed to build a long-term, self-sustainable company which provides the best two-factor authentication you've ever seen. In order to achieve this, we've monitored usage/costs over the last few months and it was clear we we had to make some changes to our current pricing. For those of you who already sign-up to one of the previous plans, you can keep it as long as you want or you can change to any of our new plans - your choice -.

Next, we decided to simplify our blog. We were using Wordpress, and although it's very powerful and probably the most popular blogging engine, we came to the conclusion it was just not for us. After looking for an alternative, we decided to write our own and then open-source it. Blossome (Blog + awesome) is a simple Blog engine for hackers. We'll be talking more about Blossome soon, we still want to fix a few issues before making it more available.

We hope you like our new website and plans.

PS. Thanks to Patrick McKenzie - patio11 - for his advice on this matter during twilio-con.

One token to rule them all

2012-12-13T00:00:00+00:00

Since we launched Authy one of the most common concerns is that no one wants to install a new app for every Two-Factor Authentication account. We built Authy to create the best Two-Factor Authentication system ever created, so naturally we had to solve that problem. Today we are happy to announce you can now add all your Google Authenticator Tokens into Authy.

We've made a number of improvements over the Google Authenticator App.

Accounts backups: If you choose to, Authy will encrypt (inside your phone) your Google Authenticator accounts and we will securely store them on our servers. Note that we only store the encrypted version. Neither Authy nor its employees will have access to your accounts. We recommend you choose an encryption key of 8 or more characters.
Automatic account detection: We'll automatically detect if it's a gmail account, dropbox account or any other account automatically for you. Depending on that we'll use different graphics and other enhancements.
You always get 20 seconds to enter your token. Everytime you open the app, we'll open your last used token and you will have 20 seconds.
We'll automatically check your time and if it's out of sync, we'll let you know. Future versions will automatically sync the time for you, just as we do on all Authy tokens.

If you don't have an Authy account and still want to use the Authy App for Google Authenticator you first have to sign-up here: https://www.authy.com/signup
If you're already using Authy simply update the app from the iPhone or Android Marketplace.

Here's a small video showing how to add Authenticator accounts.

Protect your WordPress site from attackers in 2 minutes with Authy

2013-01-31T00:00:00+00:00

WordPress has made it easy for anyone to create and maintain a great site. It's so powerful that even some of the biggest site's on the web like forbes.com use it.

Last year we saw millions of passwords stolen when large sites like LinkedIn and Gamigo were compromised. Then we read through the gripping story of wired reporter Mat Honan telling us how his life got turned upside down when his accounts got compromised. We saw how suddenly the media and everyone started talking about two-factor authentication. How now, more than ever, it is important to protect yourself with more than just a password. But the truth is: that's easier SAID than DONE. We want to change that TODAY.

Today were releasing a WordPress plugin that's specifically designed to help anyone, technical or not, to protect their WordPress site with Two-Factor Authentication in under 2 minutes.

Two-Factor Authentication is a strong form of Authentication were the person is required to know something, like a password, and have something, like a Smart-card. With Authy, the person is required to know his password as well as a Token. The Token is a 7 digits number that changes every 20 seconds and is tied to a physical object you already have: your phone. So even if an attacker was able to get your password, he has no way of knowing your Token since he doesn't have your phone. Also because the Token is changing constantly (every 20 seconds) and can only be used once, phishing attacks and key-loggers are ineffective. Even if an attacker was able to get the Token using a key-logger or a phishing attack, the token would be already used or expired.

You can get your free API key from Authy here

Download the plugin from: Wordpress

To make sure anyone can benefit from this, we made a video that explains how to install and configure Two-Factor Authentication today on your WordPress site in less than 2 minutes.

Authy WordPress plugin Vulnerability Resolution

2013-02-05T00:00:00+00:00

Last week we released a WordPress Plugin for Authy. A few hours after the launch we were informed by Jon Oberheide from Duo Security that our WordPress plugin contained a vulnerability. Within 10 minutes we were able to confirm the vulnerability and evaluated the security impact. Our determination was that the vulnerability was not critical and we decided not to pull off the plugin from WordPress.

We also immediately started working on fixing the issue. 4 hours later after doing all quality checks, we released a new version which patched the vulnerability.

We are committed to being a very transparent company, so we want a detail here what the vulnerability was. We're also working on creating a new webpage that will detail how we handle security vulnerabilities at Authy and how to contact us in case you find one. We'll publish this on our website and our blog in the next few days.

Details

The Authy WordPress Plugin uses 2 different web-pages to authenticate users that enable 2-factor authentication. On the first page user enters his username/password and on the second he enters his Authy Token.

Because of how WordPress Authentication works, we had to re-use the same end-point for both POST request (username/password and token). Jon found that it was possible to bypass the password check if you sent a valid Two-Factor token to the authentication endpoint manipulating the first request. This meant that the Two-Factor Authentication was reduced to one factor, in this case a valid Authy Token.

Because the attacker still needs a valid Authy Token it means the impact was fairly low. Authy tokens are generated using RFC 6238 with a 256 Bit Key (HMAC-SHA256), can only be used once and are time sensitive. That makes generating a valid Token is virtually impossible without having access to the secret key. For instance, Authy.com has used single factor authentication using Authy Tokens for over a year now.

Essentially the Authy Token is a much more secure than a password and you are much more secure if you are using a Token instead of a password.

So if you installed the plugin you were still better protected than you were initially with just a password. That said, we've already released a new version to fix the issue and most people installed the new version, if you still have the old version consider updating now.

Fix

We looked at several alternatives, including checking the token and the password on the same screen. Ultimately, we decided it was best to keep separate web-pages for the token. In order to make this work securely, during the logon process when WordPress verifies your password, we generate a long random string that we return back to the browser if the password is correct. This random string is only valid once for the next 5 minutes. So when you enter your token, your browser transparently also sends back this random string. We then verify both the token and the random string are correct. Since only the person who knows the password will be able to get the the random string in the first place, we know by the time we verify your token that you know the password, without ever exposing your password back through the network.

We've also released the full source code of the plugin if you want to check it yourself: Source Code

Thanks

We want to thank Jon Oberheide from Duo Security for informing us responsibly about the vulnerability and handling the whole issue very professionally.

New Authy Security Issues Page

2013-02-06T00:00:00+00:00

As we've grown it's been increasingly important we maintain transparency and security. We want to make it clear and easy for anyone to report security issues to us. Today we're adding our security issues page. It details how we handle security vulnerabilities at Authy Inc and how we can be contacted if you find one.

Bottom line is:

We will never take any legal or intimidatory actions for reporting security issues to us.
We will always responsible disclose all issues we receive publicly. We will never try to hide a security issue, no matter how big or small it is.

You can read the whole page here.

How to protect your WordPress site from brute-force attacks

2013-04-15T00:00:00+00:00

Last week a large distributed brute-force attack was launched against WordPress Blogs. One of the first to notice the attack was CloudFlare. Not only did they detect the attack they automatically protected your WordPress site if you had an account with them.

On this blog post we want to give you some details of the attack, what to do if you were compromised and things you can do going forward to protect your site from future attacks.

The attack

The attack is simple. Because WordPress by default does not limit the number of logins attempts a person can try, the attackers created a bot that identified WordPress sites and tried to brute-force the login using common username/password combinations.

A total of 2927 common username/passwords were tried. All of them are simple usernames and password. Here's a sample of 10 combinations used in the attack:

Admin:passwd
Admin:parol
Admin:pass
admin:admins
admin:administrator
admin:administrators
admin:Admin
jessica:JMR9760
jessica:JMR9760
jessica:JMR976
admin:qwerty

Although the list is short (<3000) it looks like it was highly effective. HostGator reported up to 90,000 IP's are participating in the attack.

The reality is that passwords are simply not enough these days.

How to protect yourself

There are a 3 simple things you can do to protect your WordPress site.

Rate limit the amount of logins using this WordPress plugin.

 http://wordpress.org/extend/plugins/limit-login-attempts/

Avoid using common login names such as admin, Admin, root, Administrator.
Don't use common words for passwords. Make sure you choose a strong password.

These are simple steps you can ensure your WordPress site is a little safer. However if you have a larger WordPress site with multiple users, it's hard to make sure everyone is following this practices. If you are serious about security you shouldn't be using username and passwords only.

We recommend:

Sign-up for a free CloudFlare account. They will not only protect you from these types of attacks but from many others.
Enable Two-Factor Authentication on your WordPress blog. Have a look at Authy for WordPress. Don't be intimidated if you are not tech savvy, we designed the Authy for Wordpress plugin to be used by anyone. Just follow the installation video and you'll be fine.

What if you are already compromised

There are a few steps you should take:

Login as admin and remove all users from your WordPress site that you don't recognize.
Change all of your passwords (for all users).
Re-install your WordPress site from scratch.
Change your database password. Look at wp-config.php. Make sure you change your database password and any other passwords inside that file.

Staying safe

As attackers and attacks evolve, keeping your WordPress site secure becomes harder and harder. We know trying to remember complicated passwords is hard and enforcing it on others is even harder. But there's no reason these days that you should be using a username and passwords only. If you enable Two-Factor Authentication and keep your WordPress site up-to date you're already 99% ahead of the attackers.