2-Factor Authentication via SMS
Last week we got an earnest inquiry Andrew Hinkelman of Priority 1 Group that was very simple:
Do you offer multifactor authentication (MFA) for client credentials/login? If so, I assume one factor could be a code sent via text message?
When Morgan replied the truth of the matter, no we do not, we got back:
Is multifactor authentication on your roadmap? If so, roughly when?
Well, at the time it really wasn’t. Morgan let him know the full scoop, and got back the following:
I’m an executive coach working with leaders in tech. I’m also a recent CTO and managed a team responsible for information security. So… I think not having an additional authentication factor is a deal-breaker for me. I simply cannot direct my corporate clients to use a SaaS service that is not hitting baseline security measures and expect them to use the platform for sharing/storing our 1:1 coaching work.I really loved everything else I saw about coach accountable so I’m bummed to have to restart my search…
“Not hitting baseline security measures?!?” Well now, that’s really throwing down the gauntlet, isn’t it? :)
And far be it for me to make Andrew have to restart his search!
In truth, adding 2-factor authentication isn’t terribly hard, ESPECIALLY if we skip over authenticator apps and just start with SMS-based. CoachAccountable is already set up to transact via SMS in countries that represent over 90% of our users.
I’ve had MFA come up as a request a few times over the last several years (expressed interest has been really quite rare, actually). I didn’t jump on cooking up SMS-based 2FA on account of cutting edge security researcher reports that SMS was technically not a fully secure channel, owning to the possibility of various SIM card attacks and other niche weaknesses.
But really that was an instance of me letting perfect be the enemy of good.
The fact remains that even humble SMS-based second-factor authentication is a practical step up: in a world where defense-in-depth matters (and indeed it does, for we don’t ALL live in a spy movie being targeted by nation state actors), even mostly secure measures make a meaningful difference!
So I’m happy to report CoachAccountable now supports 2-Factor Authentication over SMS, i.e. for all our users in the US, Canada, UK and Australia1. Let’s see how it works!
Enabling 2-Factor Authentication
Anyone with a CoachAccountable account able to receive SMS messages from CA can easily and quickly enable 2-Factor Authentication. A quick visit to the My Account >> User Profile is all it takes:
This checkbox will appear when (1) you’ve got a cell number entered and (2) you’ve chosen one of the countries that CA supports SMS in.
If you’ve got a cell number entered, and are in one of the SMS-enabled countries, that “Enable 2-Factor Authentication (via SMS)” checkbox will appear. Check it, click Save, and it is done!
Using 2-Factor Authentication
When 2FA is enabled, upon successfully logging in you’ll be greeted with pretty much exactly what you’d expect:
Meanwhile your phone will have received a text from CoachAccountable, containing the security code called for in-app. Type it in correctly and you’ll be on your way.
Even with 2FA enabled, you’ll still have the usual “Keep me logged in” checkbox when logging in. If you check that, you’ll only need to enter your security code once on that device (until you manually log yourself out again, of course).
2FA and Magic Links
CoachAccountable will still send magic links in emails to you (and your clients) that have the effect of automatically logging you in. This auto-login behavior sidesteps the need for an SMS authentication entirely: access to your email effectively becomes the second factor of authenticating yourself.
Accordingly, using the Login Helper/password reset system will allow you to get around any problems you may have in receiving that SMS code to your mobile number on file, allowing you to change things as needed.
Summing Up and Looking Ahead
For over 90% of our users, Multi-Factor Authentication is now a thing in CoachAccountable. It is completely optional, but easy to activate for anyone who would like that added peace of mind brought by the extra security.
Eventually I’m sure I’ll add authenticator app support, so that all users will have the option to secure their accounts by MFA. But for now I’m happy to release a win for most.
Finally, my express thanks to Andrew, whose thoughtful comments brought about this enhancement much sooner than later. Here’s to the journey of continuous progress!
- Or, more precisely, users who have a US, Canadian, UK, or Australian phone number capable of receiving SMS messages. ↩
More recently: Custom Email Message Templates
Previously: Calendar Sync via Email Invites
Hi John,
So when 2FA is selected in my profile, is it just when I log in that I’ll have to enter the SMS-sent code, or ALSO for each of my clients as well whenever they login?
Thanks,
Jonn
January 10, 2022 @ 12:33 am
Great question! When one enables 2FA, that’s just for themselves. Having 2FA enabled or not is a choice that every user gets to make for themselves.
January 12, 2022 @ 8:37 am
John!! Thanks so much for enabling this. I coach cybersecurity and IT professionals, so MFA is a big win! Awesome!!! :)
March 4, 2022 @ 8:44 am