tl;dr: Tinfoil Security now has two-factor authentication, and with our open source gem, you can too.
Here at Tinfoil Security, we spend a lot of time thinking about how to empower our users to keep themselves secure. Until a few weeks ago, we only offered a single-factor login solution for our users, and in this age of rampant password-theft, that just wouldn’t cut it.
Two-factor authentication adds one more step to logging in, after you’ve put in your password, which helps prove you are who you claim to be. Just as an ATM requires you to have knowledge of a PIN and possession of a physical card, two factor authentication requires you to have both knowledge of a password and access to a temporary code that can only be generated by your physical device. In our case, that device is a smartphone running an application like Google Authenticator.
We audited a few existing two-factor authentication gems for Ruby on Rails, and none of them seemed to fit our requirements – we needed a solution which wouldn’t interfere with our other access-policies (API and SAML, primarily), while also being flexible enough to integrate into our existing login-flow. Rather than rewrite large swathes of existing code, we opted to instead build our own gem, and after using it for a few weeks in production, we’ve decided to open source it! We’re hoping that the ease of integration will drive other developers to further-secure the apps we already love.
With that, we’d like to announce devise-two-factor, a plugin for Devise which abstracts away all of the messy authentication details for you, so that you can simply focus on integrating the functionality into your UI. It plays nicely with all of your existing Devise configuration, and aside from the frontend (View generators are on the very long TODO list), it can be installed with one quick call to a generator.
You can see the gem in action at https://www.tinfoilsecurity.com, after enabling two-factor authentication from your settings page.
We understand that cryptography is hard, and implementing a complicated system like two-factor authentication is no different. As Shubham Shah demonstrated last week, there’s plenty that can go wrong, and that’s why we need to work together to solve hard problems like this; next time you think about implementing two-factor authentication, think about letting our gem do the thinking for you.
As with any of the other open source projects here at Tinfoil, pull requests are welcome. We hope this gem helps remove some of the stumbling blocks that keeps companies from offering two-factor authentication and keeping their customers secure. Enjoy.