Introducing FIDO Universal 2nd Factor Authentication

To better help you ensure your account is safe and secure with Compose, we've expanded our authentication system to support FIDO Universal 2nd Factor (U2F). If you're currently accessing your Compose databases, now would be a good time to increase the security of your account and if you're using 2FA right now, here's another option. Your Compose Account is the key to your database kingdom and you need to do everything you can to keep it secure.

Passwords are just the start

Passwords can be secure, but truly secure passwords can be hard to remember. If you reuse your password and it is compromised, it is a very time-consuming process to change your password for every site and service you use. There are great apps out there like 1Password to generate and manage passwords, but they aren't free and your sign in still only has one authentication factor.

Authentication factors can be things you know, like a password, something you have, like a key or something you are. The more independent factors you have for authentication, the less likely you are to be compromised.

Enter 2FA

To make apps more secure, two-factor authentication (2FA) came onto the scene. 2FA systems require two different pieces of information to be input to verify your identity. One of them can be your password and the other comes from some other source.

There are one-time passcode generator apps for your phone like Google Authenticator, Authy that you configure with accounts at providers like Compose, Github and Gmail which generate one-time passcodes that change using the standards developed by the Initiative for Open Authentication (OATH).

When you login, there's a prompt to enter the token generated by your authentication app or receive a one-time passcode vide SMS text on your phone.

The basic premise behind 2FA is that it is harder for someone to access your account with two authentication factors in place rather than just a password. There is a problem with most of these 2FA systems though; they aren't a second authentication factor, just another thing that you get to know and use to log in. It's basically a second password.

Enter Universal 2nd Factor Authentication

Until now, we've only offered 2FA here at Compose. Today We're introducing Universal 2nd Factor Authentication with hardware keys. U2F means you can authenticate with something you have, a physical hardware key, like a Yubikey that you can plug into your USB port, which can be used as a second factor – something you have.

A Yubikey is a USB device that fits nicely on your keyring and acts as your second factor for authentication. You plug it in to your USB drive and, when prompted by the site you're logging into, push the "Y" button on the device. The Yubikey will communicate with the site to authorize your login.

If you already have a FIDO U2F hardware key, getting it set up with your Compose account is pretty simple, if you don't, we can help you on that front.

Getting Started with Yubikey

Getting your Yubikey setup is pretty straightforward. Keep in mind, that not every site or configuration works with Yubikey. For example, if your computer doesn't have a USB port (like the new Macbook), you can't plug it in. You'll also want to make sure it's compatible with your browser - it works great with Chrome, but isn't supported by Safari. It may not work for you and, if not, you should go ahead and configure 2FA.

To get started, you'll need to have 2FA configured for your account. If you haven't done that, it's pretty simple. To do that login to your account, click here and you'll see this screen:

Select if you want to auth using a text every time you login, or if you want to use an app like Google Authenticator to generate a code for you to use. Both of these 2FA options are considered "things you know." Even if the code was just texted to you or generated by your authenticator app, you're still inputting information that you now know as your second factor for authentication.

As a side note, it's a good idea to add a number to use for Fallback SMS and download recovery codes if you're using an app for authentication.

Now that 2FA authentication is setup, you have a screen like this:

Click view registered keys and you'll have an option to register a key. Give it an alias, click add, plug in your Yubikey, push the button on it and you're all set. Now your Compose account is more secure. Each time you login, you'll input your username, password and make sure you Yubikey is in.

Now you're ready to get started with U2F.