blog

Now, you can secure your BeanHub account with multi-factor authentication

July 6, 2024
account
new-feature
rename

As we mentioned, security is the top priority when building BeanHub, and it’s undoubtedly also the top priority of most BeanHub users when choosing an account book solution. Many of you have been asking this for a while, and today, we are glad to inform you that the multi-factor authentication (MFA for short; some call it two-factor authentication or 2FA, and it depends on the number of factors) feature is available. We currently support two authenticator types: TOTP (Time-based one-time password) and FIDO2.

Research shows that users who enable two-factor authentication can eliminate 99.9% of the possibility of unauthorized access from hackers when their password is compromised. We highly recommend that all BeanHub users enroll MFA authenticators to enhance the security of their accounts. The recovery code still needs to be implemented, so if you lose your MFA tokens, you must email support@beanhub.io using your registered email to recover your account. Regardless of whether a recovery code is available, since there’s a chance of losing a token, we recommend users enroll at least two different authenticators in case one of them is broken, lost, or stolen.

To enroll an MFA token, visit your account settings page and click the “Manage MFA Tokens” button.

The screenshot of BeanHub account settings page

One user can enroll up to five tokens. You can choose either enroll a TOTP or FIDO2 token by clicking the enroll buttons:

The screenshot of BeanHub MFA management page

TOTP

For Timed-based OTP, you can use smartphones with an app as the second factor for authentication. Popular apps such as Google Authenticator, Microsoft Authenticator, Apple’s Password, or other authentication apps supporting TOTP should work.

TOTP works because the host shares a secret value with the user. When you sign in, we calculate the hash value based on the wall clock, compare it with the one-time password you provided, and see if they are the same. Your TOTP will be compromised if the attacker gets the shared secret value and can calculate the valid one-time password. In the name of defense in depth, we use AWS Key Management Service to generate a hardware-protected data encryption key to protect your TOTP secret value.

FIDO2

As for FIDO2, the most popular vendor is YubiKey. You can purchase one from their website. Other than YubiKey, there are less well-known but open-source alternatives such as SoloKeys or OnlyKey if you prefer open-source solutions. We recommend FIDO2 over TOTP because most TOTP apps run on smartphones. Compared to a hardware-based FIDO2 device, the chances of a smartphone getting hacked are higher than the FIDO2 devices. However, if you don’t have any FIDO2 devices, we still recommend you use TOTP. Despite being less secure than FIDO2 in most cases, a TOTP is still an easy win in securing your account compared to not having an MFA token enrolled.

Why we don’t support SMS

We intentionally skip SMS (Short Message Service) as a second-factor authentication option, even though many banks use it nowadays.

SMS-based two-factor authentication is known to be vulnerable to SIM card swap attacks. Someone could pretend to be you, call your cellular service provider, and ask them to transfer your phone number to a new SIM card. Or, insiders in the cellular service provider could work with hackers and use the staff dashboard to transfer your phone number to another SIM card without your consent. Security incidents like this happened on a large scale in the past. Even the ex-CEO of Twitter was one of the victims.

Other than SIM card swap attacks, the SMS communication channel might not be as secure as many would imagine. With that in mind, we don’t consider SMS a secure MFA option, and we’ve decided not to implement SMS-based authentication.

Final thoughts

Currently, we only require users to perform MFA authentication when signing in. In the future, we will extend MFA authentication to critical operations to further enhance BeanHub’s security. Also, we may require MFA authentication enabled for users to use BeanHub Connect.

As you can see, we are rolling out new features at lightning speed, and as more features are added, we will raise the price accordingly. As a reminder, on August 1st, 2024, we will raise the Pro price from $9 to $12 billed monthly and $11 to USD 15 billed annually. Take advantage of the opportunity to sign up for BeanHub Pro while the price is still low!