June 20, 2011

2-Factor Authentication to your SpiderOak Account

by with 278 comments

We are now offering limited support for 2-Factor Authentication into your SpiderOak account.

2-Factor Authentication provides an additional layer of security on top of password protection. In other words, if someone were to compromise your username and password, these two elements alone would not be enough to allow them to access your SpiderOak account.

As a first step, we are offering this new feature to paid users only who have phone numbers located inside either the US or Canada. Given that a high percentage of SpiderOak customers (and several SpiderOak team members) live outside North America, we will soon eliminate this restriction.

To enable 2-Factor authentication for your account, you may either login to SpiderOak.com or navigate to the SpiderOak application — > Account –> Credit Card / Billing Information section. You will then notice a new option labeled ’2-Factor Authentication’.

Once enabled, any time you login to your SpiderOak account via the web or a mobile device, you will need to provide your current username, password, AND a ‘token’. The ‘token’ will be sent to your mobile device and should be entered directly after your password with no spaces or marks between them. For example, if your password is ‘red’ and the token reads ’1234′ then you would simply enter ‘red1234′.

Each 2-Factor Authentication token you receive is good for 12 hours and can be created here: Token Request. The text message you receive will look similar to the below:

SpiderOak Secure Login Token: 01234567
This code is good for 12 hours. If this login
code was unexpected, email
support@spideroak.com

You can only request one token every twelve (12) hours. If you try to request a token more frequently than twelve hours, subsequent attempts will silently fail. If two factor authentication is enabled for your account, any login attempt that does not include a current token will also fail (similar to entering an invalid password or a non-existent username).

Please Note: This is an optional feature that has to be manually enabled by the user. If 2-Factor Authentication is not enabled, the login procedures will remain unchanged – continuing with a password-only based login.

For the first days of this trial-program, 2-Factor Authentication will only protect web based logins. Over the course of the next several days, we will be extending this feature globally and anywhere you have to authenticate to SpiderOak (e.g. activating new devices and/or reinstalling existing devices).

Finally and as a reminder – even with two factor authentication, the usual recommendation still applies, and accessing your data via the desktop client is more secure than the web and/or through mobile devices.

For those curious about how 2-Factor Authentication is implemented, we are working with the excellent Twilio telephony API to deliver the SMS messages. It costs SpiderOak $0.01 per SMS token which we believe to be more than reasonable and money well spent.

Depending on the interest and adoption, we may extend this to Android OATH tokens, Yubikeys, or other various secondary security factors. Please feel free to give feedback on what additional methods you’d like to see and/or the arrangement in general. We are obviously in the early phases now but excited to be adding this additional security layer for those security conscious folks among us.

Comments
  1. Multi factor authentication is a cornerstone of strong access controls. I can't wait until you roll this out to the client as well.

  2. I use the little number keyfobs on PayPal and eBay, and it's nice to see other places adopting multi-factor auth. You're currently doing better than my bank. :)

  3. Cool, it's good to see that you're adding more layers of security, instead of removing existing layers :)

  4. Incredible. This was at the TOP of my want list ever since Google added the same second layer of authentication. This is an incredible service and more than worth my annual payment!!!

  5. This is awesome – I especially like the Android OATH token idea. Any possibility of opening up the protocol in a similar way to how Google did with theres, so theoretically folk could write their own second factor apps? (I for example have a programmable wristwatch that displays my Google token)

  6. You guys should check out Duo Security. It would be nice to have offline and non-SMS options for this, and something out of band to prevent MITM attacks. Their push stuff totally rocks!

    Also nice goatse. I see what you did there! :-)

  7. Google 2-factor is great. Allow to chose between an Smartphone application or SMS. If my smartphone fails I could ask for a SMS on an another phone by changing my sim card and still log to my account.
    Yubikey is great also (but only work on desktops).

  8. thanks a lot! So will mobile/web access automatically be compatible? I'd use it for your Maemo/N900 app!

    +1 for Yubikey

  9. I'd really like to use this when you roll it out to desktop/mobile applications, but I'm concerned about the 12-hour limit (assuming this is a one-time use token, as this sort of token usually is). Since I use SpiderOak on four different devices, if I was burgled or my house burned down or something, it would take 48 hours for me to log into SpiderOak on all of my replacement devices and start restoring my data.

  10. Yubikey is great (I have two), but the Android OAuth is more convenient (I use it for Gmail).

  11. I (and many others, I guess) already have a SecurID hardware token for Paypal/eBay. Being able to use that with SpiderOak as well would be very convenient.

  12. Great news guys. After researching different online storage providers yours was up there due to security and this steps it up another notch! Great to see you guys focusing on security as a priority.

  13. Would love to be able to identify specific machines as not needing 2-factor. E.g. my home desktop I consider secure enough not to need it, so I'd rather avoid the annoyance. Lastpass does this with Yubikey, though I'm not sure how it is implemented. Really you'd get 99% of the security by using 2-factor only to add/remove devices from an allowed list.

  14. +1 for Yubikey. I'm already using it on Passpack and Fastmail.

    It's very nice that you are implementing Two-Factor authentication. It would provide even more superiority over other services.

  15. I use google 2 factor using the android authenticator app. It would be great if spider oak could use the google code to build your own app.

    Also I like the way that Google allows the user to "clear" a device for 30 days, as this allows the device to be verified by 2 factor and then avoids having to reverify every time you logon.

    Also serious thought should be given to recovery if the user loses their phone or other device used for two factor. Overall i think Googles implementation is very good and you wont go far wrong by following them.

    I'm currently a paying dropbox user, but given all the security issues recently i'm looking to move over to spider oak,2 factor security is a major feature that will make me move over.

    Also +1 for UK sms support :)

  16. +1 for using an Android app for 2 factor. I use the Google Authenticator and also the VIP Access (from Verisign) apps for access to different services.

  17. Yubikey (with mobile sms as backup) would set spideroak so far ahead of the competition they'll be eating your dust for months!

  18. +1 for Google Authenticator. It uses some standard RFC for HOTP and an extension for that for TOTP.

  19. Security, especially from the country I'm coming from, is paramount. It was exactly this why I chose Spideroak over other services. It's sad that the 2nd auth isnt global. I'd also like something else than sms/yubikey as that would restrict my access at all times(not to mention the possibility of illegal wiretaping that includes SMS). I'm very happy with LastPass and their auth systems – grid or a OTP generation program. Something like that would be universal, inexpensive and very portable. Any chances of that?
    Thanks

  20. I'd love to see support for Yubikey, whether via their own OATH/OTP servers or Verisign's VIP service (also offered by Yubico)

  21. +1 Yubikey

    I already have one. Please use the Yubico back-end so I can feel free to change the AES key as often as I like and continue to use it as a Two factory Auth for all my PAM Linux uses.

    This is how LastPass has it.

  22. Please extend to YubiKey. In doing so you will will further endear people who want a secure pre-Internet encryption way of encrypting our data.

  23. Am looking forward to this coming to Australia. I'd also be interested in the YubiKey as an alternate or replacement authentication device in the event I were to lose the phone and needed to get back in.

  24. +1 for Yubikey. This is what I use elsewhere and prefer. I probably wouldn't use the SMS based 2-factor that is mentioned here, but if there was yubikey support, I'm in.

  25. +1 yubikey
    +1 Europe
    Excellent initiative. I don't access my data any other way except by the desktop client but more security is never wrong.

  26. I'd like to see Yubikey as well but the problem with them is that there would be no way to use them on a mobile device so you'd have to be able to use either Yubikey or your current method.

  27. Good news, but as I consider my desktop computer "safe", I'd like to use the 2-Factor authentication only for the mobile and web access. Would it be possible to configure it this way ?

  28. LastPass has some interesting additional options including something they call grib, One-time passwords, and being able to select trusted devices. I like the idea of OTPW's a lot. If for some reason you must access your account via the web especially from an untrusted computer then using a one-time pass is a great option.

    What I'd like more information on though is how is it possible to add unlocking options to my key if it's encrypted on my local machine with a password of my choosing and only known to me.

  29. +1 Yubikey

    Also since I add headless linux devices is there a token field in there I can update? Doesn't happen often so I can just disable 2 factor, add the computer, then re-enable it.

  30. I use a few cloud based backup solutions but spideroak gives me a warm feeling of safety indeed. I get the feeling that spideroak really tries to do its best to fix common cloud problems, like security and safety of information, even in a case if some has been hacked.

    Thumbs up for This!

  31. Aug 13, 6.20AM – stonking great spam posting. Which leads one to suppose you are not actually looking at these comments….? If you *were*, then +1 for Android auth. Hmmmm?

  32. Given that i'm in China, I can't wait for this to be rolled out here as well…c'mon guys, when can I have this enabled? :)

  33. +1 Google Authenticator. Yubikey cannot be used on my android phone. I switched from it on lastpass as soon as google authenticator was available.

  34. +1 Google Authenticator. Yubikey cannot be used on my android phone. I switched from it on lastpass as soon as google authenticator was available.

  35. =====
    For the first days of this trial-program, 2-Factor Authentication will only protect web based logins.
    =====
    Clearly, this is a definition of "first days" that I was previously unfamiliar with. ;-) Six months later and still no 2-Factor authentication in the SO client. So even if I turn on 2-Factor authentication, an intruder need only install the SO client to avoid the added layer of security. Until 2-Factor authenticaiton is enforced on the SO client, this is nothing more than a novelty.

  36. I was just searching for other online backups like Dropbox and Wuala and I just jumped up when I noticed this supported Yubikey but first, why only Canada/USA and second why only web page? Unles it's enforced for the client (and any devices you choose to add) this will only partially increase security.

  37. +1 Yubikey would be awesome and since the implementation is painless, I think it's a win win :)

  38. Recently I activated two-factor authentication into my Gmail Account. I read about two-factor authentication product of TeleSign that works with any phone and can be deployed worldwide.

    API integration is quick and seamless and no need to purchase any hardware. TeleSign’s solution is fully redundant on all hardware, network, and telecommunications layers.

    Visit http://www.telesign.com/products-demos/two-factor-authentication/ for more details about two-factor authentication product.

  39. Google Authenticator. Yubikey cannot be used on most mobile devices. I own one, but when Lastpass offered Google Authenticator, I switched cause it is better.

  40. +1 for Yubikey
    +1 for Google Authenticator
    +1 for OAuth
    +1 for GrIDsure kind of token
    Give people a choice and they become customers.

  41. Restrict the SMS function to 2 per 24 hours and integrate this open source OTP system that already had clients for every device: motp.sourceforge.net

  42. Hello? OATH TOTP (google authenticator) support please!

    People want offline 2-factor, and you insist on paying $.01/SMS to send tokens that can be intercepted (SMS isn't *that* secure)? Why?

  43. I'd really like to be able to create a share with it's own 2 factor authentication. Either I provide the phone number, or you put up a webform for the guest to put in their phone number. I have some sensitive docs that I want to share with my family, but am reluctant to share as it seems the only thing protecting them is an obfuscated URL.

  44. Using a second passphrase for 12 hours breaks your 2-factor model. The second phassphrase is a proxy for the possession of the phone, so if you stretch it past "temporal" then you just end up with a 2 x 1-factor login.

    I applaud the effort but this is a serious flaw. Read NIST 800-63 …

  45. +1 RFC 6238 Time-based One-time Password (TOTP) (Same as Google Authenticator)

    When will this be available for International customers?

  46. We're getting on to a year after this announcement. Any chance of an update on the future of 2-factor authentication?

  47. Same as Colin – when's the update on if/when Yubikey etc will be available for International customers?

  48. As this seams to have turned into a poll I will just drop my

    +1 for Yubikey, as I already have one

  49. I'd really like to see this extended to google authenticate. It's the last piece of security I'd like to see implemented here.

  50. +1 Yubikey! I also am using it for lastpass. Actually found SpiderOak searching for storage and sync that used Yubikey.

  51. Yubikey is great for MANY things, but because of the mobile stuff, I think that something like the Google Authenticator might be a better fit, generating One-Time Use Passwords on your mobile device directly. (saving money of SMS)

  52. +1 Google Authenticator. It's the most convenient, it allows me to use lastpass and gmail 2 factor auth in one app.

  53. Seriously, the key to making two-factor authentication a thing is to use open standards. That means anything OATH-compatible: Google Authenticator, Android OATH, etc. . . I'm being totally honest here, the moment you support OATH I'm going to magically turn into a paying customer. I'm already hooked on your service, and would pay if I ended up using the storage space / weren't also using DropBox simultaneously for my non-critical stuff.

  54. I enabled 2 factor authentication on my account and was locked out until I called customer support. They had to take 2 factor auth off and then I had to go in and change my password. (apparently this implementation of 2 factor auth didn't like special characters in your password)

    Has this been fixed? noone ever got back to me to say.

  55. I'm a paid user and I'm definitely interested in either yubikey or google auth. I tried enabling the current system and it seems just too clunky to me. Any news on when we can expect an update of the 2-factor feature?

  56. Another vote for Google Authenticator support — I already use it for Gmail and Dropbox and it's available on every mobile platform. This eliminates dependency on access to SMS.

  57. Yubikey, please.
    My email provider uses it (FastMail). Usage is simple and convenient, provides excellent security for website access when away from your own computer.

  58. I think I will cancel my SpiderOak account.. It's almost 2013 and still using silly SMS schemes instead of Google Authenticator or a Yubikey. Come on how can you claim to be security conscious on this site if your dual factor auth is so lame. Makes me wonder how secure this site really is under the covers. Even Lastpass has you guys beat in the number of dual factor options they offer.

  59. +1 Google Authenticator. If you're gonna provide 2-factor authentication support for international users, Google Authenticator will save your company a lot on the phone bill. And not every carrier is reachable with SMSes.

  60. Please add OATH and/or Yubikey support promtly! It's the only thing keeping this from being a 5-star security service!

  61. Google Authenticator would not incure a per transaction cost and would allow global support. Yubikey is also good but is dependant on yubico as a third party.

  62. As a non-USA customer, you guys really need to implement this! For procurement with big customers we are asked about our authentication levels and this causes us (your clients) problems. Just some idea of a roadmap would help!

  63. I just added a new device to my network and wasn't prompted. Does two factor authentication only work for web logins? If so, what good is it if someone can just download the client and try to login that way?

  64. Still no 2-Factor Authentication for non us users, from a company who's reputation is built on security this is shocking. So is the lack of official response. Time for us users to vote with our feet and move else where.

  65. Approaching 2 years later, and still no two-factor support for us non-USA customers. I feel rather let down…

  66. A solid two-factor authentication is the only thing holding me back from a premium paid membership. I would love to see use of the Google Authenticator.