We’re excited to announce today that we’re taking Authful -- our API for Two Factor Authentication (2FA), which we believe is the easiest way to implement 2FA -- open source. Open source announcements can be greeted with a mix of welcome and puzzlement, so we wanted to take a minute to introduce Authful, and explain why we built it.
How We Did It -- the Authful Truth
We originally created Authful as an internal application to provide MongoHQ customers with the option to enable and configure two-factor authentication, increasing the level of security required when accessing your MongoHQ accounts. Recognizing that a large part of the value we offer you is the ability to minimize risk in deploying MongoDB, it’s on us to leverage every security-enhancing feature available.
Why We Created Our Own 2FA App
Why, with several viable 2FA options available, did we create our own implementation? After evaluating some of the pre-built 2FA services, we noticed that they required users to use their specific mobile apps.
Since our goal is to make our customers' lives easier, we didn’t want to require the use of a proprietary app to get the most out of our 2FA feature. So, we created our own, with the goal of making it as easy to implement as possible. Authful allows you to store a unique user key with an optional SMS number and use a very simple API to:
- Create users
- Generate QR Code for app use
- Validate OTP tokens
- Manage recovery codes
Authful offers support for multiple mobile apps, fallback numbers and recovery codes, and SMS integration (we went with Twilio for SMS because of it's ease to implement and reliability). And, to make sure we offered the most tested product possible, we put Authful through a security audit by Matasano.
Why Open Source?
In a nutshell, we have open sourced this tool because security features should be simple to implement, and we're all better off if it's easy for developers to do the right thing.