As part of our ongoing effort to protect not only your own data, but that of your participants, we’re making Two-Factor Authentication (2FA) available across user accounts on Let’s Do This.
2FA is an authentication method in which a user is required to use two authentication factors before being granted access to an application.
💡 An authentication factor is an authentication property, e.g. a knowledge factor (something you know, like a password or security question), a possession factor (something you have, like an enrolled device), or an inherence factor (something you are, like your fingerprint).
💡 An authenticator is something a user owns or controls and uses to authenticate their identity e.g. biometrics, username/password.
Why?
A recent study by Persona found that 81% of security breaches are caused by stolen or weak passwords.
We’re adding this for a number of reasons:
With increasing cyber threats, 2FA provides an extra line of defence, making your account more resilient to unwanted access attempts.
2FA significantly decreases the probability of online identity theft, phishing, and online fraud.
Data security is maintained, even when passwords are compromised. Knowing that your account has an extra layer of protection provides a higher level of assurance about the safety of your sensitive information.
v1 Feature Summary
2FA is now available to turn on in your User Profile settings. The type of 2FA we've enabled is Time-based One Time Password (TOTP). Basic functionality and user flows that have been released are:
Users will be able to find a '2 step verification" section on their profile page on the dashboard.
Ability to log in to EO/Partner dashboard using 2FA:
User enters their username/password
Next screen asks to enter verification code
User enters verification code and gains access to dashboard
Ability to enrol a second factor (TOTP):
User navigates to the Two Step Verification section on their profile
Scan QR code using authenticator app on phone
Enter verification code from authenticator app
Verify
Ability to remove a second factor
User navigates to the Two Step Verification section on their profile
User confirms remove
Complete.
v2 Feature Summary
As part of a v2 released, we are considering the following
Ability for admins to remove a second factor on behalf of a user
Ability for admins to choose whether or not to make 2FA compulsory for their entire organisation.
Feedback
Once live, feedback will be collected through initial discovery interviews with partner organisers. This feedback will be prioritised by our product team and used to inform the v2 2FA release.
FAQs
Can I enable 2FA when logging in with Facebook/Google/Apple?
No, 2FA can only be enabled for generic email login accounts.
If 2FA is enabled, do users need to authenticate every time they login to the dashboard or on a once-daily basis?
Users who have 2FA enabled will need to authenticate every time they log in.
If 2FA is enabled, do users always need their device with them (with auth app installed) to login to the dashboard?
This depends on the auth app in use - if the user is using an app like Google Authenticator, then yes they will need their phone with them. Apps such as 1Password support 2FA codes, and also sync across different devicess (including laptops/desktops), which means they can be used without a phone as well.