(Updated: 2014-01-08 Two-factor authentication is now GA)
Here at MongoLab, security is one of our foremost concerns. Part of our stewardship of our users' data, in addition to keeping it accessible and intact, is doing our best to secure it against unauthorized access. Today, as part of that effort, we are excited to announce our adoption of two-factor authentication ("2FA") for MongoLab's web-based management portal.
If you keep tabs on the glamorous InfoSec scene you probably already know what 2FA is and exactly why you should care. If that's you, feel free to skip on down to the punchline in the last paragraph. Otherwise, bear with me and I'll try to explain why an extra screen in your MongoLab login sequence might be a Very Good Thing indeed.
You've probably been advised more than once to use longer passwords, perhaps required to include numbers and exotic characters -- are "words" still okay? Each password should be unique, distinct from all others -- you need a software product just to manage them all! But even when such measures are used, passwords still fall victim to phishing attacks, data heists, social engineering, and good ol' brute force, where Moore's Law favors the bad guys. Whether you feel a tag line like "Passwords are Dead" is sensationalist, aspirational, or right on the money, it's increasingly clear that a single string of characters is simply no longer a robust line of defense against a hacker with a modicum of skill and determination.
This is where multi-factor authentication comes in. When security wonks say authentication factor, they have in mind three distinct categories:
knowledge factor : something only the user should know - e.g., password, PIN, secret handshake
ownership factor : something only the user should have - e.g., smart card, token fob, private key
inherence factor : something only the user should be - e.g., fingerprint, retina scan, DNA
Multi-factor authentication, then, refers to any method of establishing user identity that requires factors from more than one category be demonstrated. The definition is very particular on that last point: requiring a password and a PIN is still single-factor, for example - both are in the same category. As for the "more than one" part, in common practice today that number is usually "two".
Two-factor authentication keeps the user safer because, while none of the above factors are unassailable, it is significantly less likely a single attacker will compromise more than one. This central idea is neither complex nor novel: the guy who stole your ATM card in 1982 couldn't get to your cash without also learning your PIN (the second factor).
How does 2FA work on MongoLab? It's simple. Once 2FA is enabled for your account, logging into mongolab.com gains an extra step: after verifying your username and password ("knowledge factor") as always, a subsequent page then requires you to enter a separate 6-digit code before proceeding to your home page. You simply type in the code as shown on your mobile phone, which has become your second ("ownership") authentication factor.
The 6-digit code, which changes roughly every 30 seconds, is the current value from an endless sequence of numbers generated from a secret seed that is unique to your login. An "authenticator" app you install on your smartphone (e.g., Google Authenticator), once initialized with your account's secret seed, can always provide the current value. Once set up in this way, even if an attacker has obtained your account's login username/password to mongolab.com (via a phishing attack or otherwise), if the attacker does not also have your phone, he will not have access to the codes. Thus, the attacker will not be able to log in to your account.
Today, multi-factor user authentication is rapidly becoming an essential component of a reasonable standard of security for any service that deals with sensitive data. We believe that providing 2FA will significantly help our users secure access to their data stores while not compromising the utility of our administrative web interface.
We've been iterating rapidly with a group of early adopters to make our 2FA implementation not only a sound security measure, but also a straightforward, easy-to-use feature for all of our customers. You'll see the "Set up two-factor authentication" button in the MongoLab user administration page once we feel it can deliver on that promise.
In the meantime, if you're interested in increased security and aren't shy about giving us feedback wherever you see something we could improve or clarify, please send email to firstname.lastname@example.org -- we'd love to add you to our beta user group as we finish readying this important feature for release.