little green footballs

Tech Note: Two Factor Authentication Comes to LGF

Sun, Feb 5, 2017 at 4:15:46 pm

Image via Shutterstock

Security has always been a priority in the design of the software that powers Little Green Footballs. As soon as I began writing the code, back in the Paleolithic Era when we were still using flat files instead of a database, I realized that I needed to spend a lot of attention on protecting the site as well as possible. And so far, this effort -- and it takes a lot of effort! -- has paid off. LGF has never been hacked or compromised, although there have been lots and lots of attempts over the years. No website connected to the Internet can ever be 100% safe from hacking, but we do our best to stay current on security matters.

And today I'm announcing the next step to make our system as secure as possible: two factor authentication for signing in to your LGF account.

What is it?

The "traditional" way of signing in to a website employs a username and password. You can make this fairly secure by ensuring your password isn't easily guessed; the best way to do this is to set up passwords that are long strings of random numbers, letters and punctuation symbols, with a password manager such as 1Password (which I use and love).

But the drawback of using just a password for security is that you have only one point of failure; if a hacker guesses or gains access to your password, it's game over, man. And if you were foolish enough to use the same password at more than one website, you could find yourself in a heap of trouble.

This is where two factor authentication ("2FA" for short) comes in. Your password is something you know. Two factor authentication still requires a password, but adds something you have: a cell phone or authenticator app. This makes a hacker's life much more difficult because the password is no longer the sole point of access.

How it works at LGF

First, please note that this is completely optional; you can continue using a password without setting up 2FA. (But please make sure it's a good strong password that you're not using at other sites.)

Our two factor authentication system gives you two options for setting it up: you can give us your cell phone number and we'll send an automatic text message to it when you sign in, with a six-digit verification code that you enter after your username and password. Or you can use an authenticator app which doesn't require a cell phone connection; the app generates a single-use verification code for you to use. Most authenticator apps are free, which is always nice.

Presently we only support the most common cell phone carriers in the US and Canada, so if your carrier isn't in our list you'll have to use an authenticator app. There are many authenticator apps available for all kinds of desktop and mobile devices; on my Mac/iPhone system, I really like 2STP Authenticator because it's very simple to set up on the iPhone and syncs automatically with a companion app on your Mac desktop machine, so you can sign in with it even if your cell phone isn't handy.

How to set up 2FA at LGF

The place to set up 2FA is in your Account Settings, where you'll see the following new section:

That shows what it looks like after configuring it, but when you first see the 2FA section, it will look like this:

You can configure either a cell phone or an authenticator app, or both. If you set up both options, you can choose which one will be used by clicking the "Preferred" option. The "Enabled" checkbox simply turns 2FA on and off for your account.

We'll start by setting up a cell phone. Click the "Configure Cell Phone" button and the following dialog pops up:

Enter your cell phone number, including the area code; you'll notice that the text field automatically formats it for you, so just type the numbers. Then choose your cell carrier from the drop-down list. If your carrier isn't in the list, well... sorry, but you'll have to use an authenticator app instead. (If you'd like us to add your carrier to the list, contact us and let us know which one you use and we'll see if it's possible.)

A note about cell phone numbers: when we store your number in our database, it's encrypted with a very strong encryption method, and the key is stored off-site to keep everything as secure as possible.

When you've entered your number and selected your carrier, click the "OK" button and this dialog appears:

If everything is set up correctly, you'll now receive a text message with a verification code that you should enter, to confirm that your cell phone is working with our system. And that's all there is to it! When your cell phone is configured, the 2FA section will look like this; notice that the "Enabled" checkbox is checked, and "Cell Phone" is now the "Preferred" method:

Important: to configure an authenticator app, you should first go to your device's app store and download the app you want to use, because you'll need it to complete the setup.

When you click "Configure Authenticator App," the following dialog appears:

(Instead of "SECRET_CODE," you'll see a string of random letters and numbers.)

You can configure the authenticator app in one of two ways: by using it to scan the QR code you see in the screenshot above, or by manually setting it up by entering the secret code displayed in the box. (And by the way, that's not a valid code in the screenshot.)

Scanning it is the simplest way; just point your cell phone's camera at the QR code and it should automatically recognize it, scan it, and set up the proper information for you. When the app is set up, click the "OK" button and you'll see the following dialog asking you to enter the verification code from the app, to confirm that everything's cool.

After configuring the authenticator app, the Preferred method will automatically be set to "Authenticator App," but you can always change it back to the cell phone if you wish.

Finally, you can also get a list of 10 backup codes by clicking the "Backup Codes" button. This brings up the following dialog:

The backup codes are a fall-back in case you don't have access to your cell phone or authenticator app. Each backup code can only be used one time, and then it's deleted from your list. In this dialog you can choose to print the list of codes, download a text file containing them, or generate a new list if you're running out of codes.

That, dear readers, is that. And remember, you can always disable 2FA by going to your Account Settings and unchecking the "Enabled" box.

Enjoy your enhanced sign-in security!