Financial advisory firm, Deloitte, recently published an article detailing the ever expanding need for two-factor authentication. They predict that, “a number of technology and telecommunication companies will likely implement some form of multifactor authentication with their services, software and/or devices in 2013.” I see this less as a prediction and more of an advanced report of the facts, since we had the same notion back in 2010 when we announced two-factor authentication for Blesta.

Deloitte’s predictions go even further, stating that passwords that were previously considered secure (8-characters of mixed case, numbers, letters, and symbols) are now vulnerable to hackers, primarily due to password reuse and the use of graphics cards (GPUs) to perform dictionary attacks. Personally, I’ve never found those types of passwords to be very secure. After all, we know that password security is derived from entropy (randomness) and entropy increases with length. So rather than trying to remember 8 to 10 character passwords with letters, numbers, and symbols that have no meaning, why not simply use a long natural password? Bonus points if your language of choice is not typical of the application’s audience. Extra bonus points if it’s a dead/non-existent language. Anata no o pasuwado wa nan desu ka?

Comic by xkcd / CC BY 2.5

Of course, what’s more secure than a secure password? How about a password that changes every time you use it? “How could I possibly keep track of that,” you might ask? That’s where two-factor authentication takes over.

Time-Based One-Time Passwords (TOTP) are generated using an algorithm that produces a pseudo-random value based on any given moment in time (remember, randomness = good). The benefit of using two-factor authentication is that you need not put all your trust into the security of your password. Random token generators (or apps for your smart phone) can produce a one-time password that’s used in combination with your standard password, and as the name suggests are used only once. That means that even an attacker that knows your password and knows the token you just used to login to your account still can’t use the information to login as you.

When we originally introduced two factor authentication there weren’t a whole lot of options available to produce one-time-passwords. Since that time a number of applications have popped up for Andriod, Blackberry, and iOS devices. Chief among those is the Google Authenticator.

Using your Google Authenticator with Blesta is pretty straight forward, but requires a little manipulation to get the key in the correct format. Blesta expects TOTP keys to be in hexadecimal format (base16), but Google Authenticator uses base32. So we have to convert our Google Authenticator keys into hexadecimal before storing in Blesta.

There are a number of online utilities to perform this operation. Here’s one: http://www.darkfader.net/toolbox/convert/.

As an example, “PEHMPSDNLXIOG65U” (in base32) becomes “790ec7c86d5dd0e37bb4″ in hexadecimal. Simply select Time-based One Time Password as the two factor authentication method in Blesta then enter the converted (hexdecimal) value and you’re good to go.

You can download the Google Authenticator from the iOS app store, or Android Marketplace.

We’ve shown you a fair amount of the staff interface, but I want to show you the staff login page today. Overall this video touches on three things..

1. Staff Login Page: This is a first, no one outside our team has seen this login page before now.
2. Two-Factor Authentication: This was originally developed for v3, then back-ported to 2.5.
3. Resource Preservation: Session expire? Blesta remembers where you were headed.

The staff login page has previously never been shown, although I designed it before much of the interface. Two-Factor Authentication was originally developed early on for v3, and then back-ported to 2.5. As far as we know, no one else supports two-factor authentication, making Blesta uniquely secure. We don’t blame them though, it took plenty of R&D and most solutions are proprietary. Resource preservation is just a fancy term we coined to say that Blesta remembers where you were going, and takes you back there if your session expires and you get logged out and login again.

The video is below, as usual you can make the video full screen, and be sure to turn on your sound.

Note: Cody tells me, and I realized after that OATH is pronounced “oath”, not “oh-auth”, which is something completely different.