2 step authentication – stop hackers, bad leavers and leaks!

imageProjectfusion will be offering 2 step authentication from August 14th. It’s simple for users, just requiring them to enter a token sent to their email address. This offers great protection from risks like hackers,  3rd party leavers and deliberate leaks.
Like all good things it appears simple, however a lot of thought has gone into this release, in particular the use of ‘known networks’ will continue to allow the use of standards based tools for mobile devices and syncing and uploading data (like WebDAV and the new content management interoperability service CMIS).

Major risks protected include:
Hackers – having 2 step authentication on makes it much harder to force entry to a users account. Even if they have the password, they also need to have compromised the users email account to gain access.
3rd party leavers – you’re protected against people leaving other companies and maintaining access to your information (see here for more).
Leaks – it becomes harder to leak information if you have to share your username, password, and a short validity token that only works once. We also track the network location of all logins, this can often identify access points down to street number level.
Default Authentication profiles. There are three new profiles available to administrators, the basic 2 tier will  ask users for tokens once every 30 days (configurable) from known networks. The max security will ask for a one time token every time they login. The default is simple username password authentication with no concurrent logins allowed.
Definable authentication profiles.  If you have a particular security profile you like you can tinker with all the token validity settings, and even create your own profiles for different sets of users.
Concurrent logins. You can allow or block concurrent logins (logging in from 2 different devices at the same time using the same username). You may choose to enable this for users who often use e.g. iPad applications as well as the web. The default setting is blocked.
Known networks, device and API access. You can enable ‘safe networks’. If a user marks a network as safe, then he or she can login from that network for 60 days (changeable) without entering a token. This will make access quicker, and enable the use of mobile applications and API access for clever things like automated content sync from your x drive.
Future plans
We will be adding other profile options like time based access, and IP restricted access.
If there’s a security option you would like to see, please let us know.