New Feature: 2-Factor Authentication for all Boxcryptor Users
Last Christmas, we gave you a promise in our newsletter. We set ourselves a deadline, and, confident as we are, not only that. We made this deadline public. The promised feature had to be available by the end of 2017. Now we can finally announce that this important feature is ready: Boxcryptor now supports two-factor authentication (2FA) for all users.
Our CTO and co-founder Robert Freudenreich about the topic:
Our users are people who are intensely engaged with data protection and privacy. In the past, we were asked repeatedly when Boxcryptor will support two-factor authentication. Now we are really happy to finally answer those calls for additional authentication security. Further, we think that the best possible data security should be available for everyone. Therefore, we decided to provide 2FA for all users, no matter if they have a paid or a free account.
That means: Regardless if you are using Boxcryptor for free or with a Personal or Business license – if you want additional protection for your account, you can now enable two-factor authentication.
The Long Way to Two-factor Authentication
2017 has been a year of major changes for us and the setup of Boxcryptor. We completely changed the sign in process for all Boxcryptor apps. This was extensive, but important. In addition, we worked on another, really big feature for our enterprise customers over the summer: Single Sign-on (SSO).
Only by restructuring our sign in, and through our work on SSO, two-factor authentication became possible and doable in an appropriate time frame. But we think it was worth the wait, and we are happy that it is now operational.
What is Two-factor Authentication?
In contrast to common authentication, 2FA requires a second proof of identity. Users not only enter their individual password (something the user knows) anymore, but a second factor, something that the user possesses, is necessary. This could be an object (for example your bank card or smartphone), a piece of information (PINs or single-use-passwords) or biometrical information (fingerprint or iris-scan).
Two-factor authentication prevents hackers from unauthorized sign in, even if they found out a user’s password. If an authenticator app – for example by Google or LastPass – is used for 2FA with Boxcryptor, potential attackers would still lack access to the user’s smartphone and with that, the second factor. Only if the pre-defined factor is successfully identified, the user gains access to the Boxcryptor account.
How Does Two-factor Authentication Work with Boxcryptor?
For now, the 2FA-solution of Boxcryptor can be set up with a constantly changing, numerical code. Such a Time-based One-Time Password algorithm (TOTP), a code which changes every 30 seconds, is provided by a third party authenticator app. Once a sign in attempt is made, the system checks if the current valid numerical code has been entered correctly in addition to the user’s credentials (name and password). This setup ensures that only the actual owner can sign in to his or her Boxcryptor account.
In 2018 we will provide the additional possibility to use a hardware token (U2F, for example a Yubikey USB token) for our two-factor authentication.
The technical features for 2FA have been implemented by Boxcryptor’s IT-security specialists. This preserves the software’s convenient user experience, which is characteristic of all encryption products provided by the Boxcryptor team.
How to enable two-factor authentication in Boxcryptor
To enable two-factor authentication please visit our website. At first you need to sign in here. Right on the start page, under "My Account" you will find a new "Security" section. There you can enable 2FA with an additional Authenticator App (TOTP).
To set up 2FA with an authenticator app, please follow these instructions:
- Click on “Enable Authenticator App”. This will open a new window. A QR code and a Secret Key will be displayed.
- Scan the QR code with the authenticator app of your choice. Copy the Secret Key and store it in a secure place.
- From now on, the 6-digit codes will be displayed in the authenticator app. You will be required to enter a code at each Boxcryptor sign in from now on.
- Enter the first code on the Boxcryptor website in the field provided. The codes change every 30 seconds.
Important: Be sure to keep the Secret Key in a safe place. This string allows access to your account in case you lost your smartphone, or in case it is damaged. Alternatively, you can also print out the QR code and keep it in a safe.
Now there is nothing left but to let you try out our 2FA. We are already looking forward to hearing further ideas from you, on how we could extend Boxcryptor more. But next time, we will probably think long and hard before we set ourselves a public deadline in our Christmas newsletter again…
Happy end of the year!