Why we’re using 2FA on our new website
What is 2FA?
Let’s start by explaining 2FA. 2FA, or two-factor authentication, is a simple and effective way to secure your account on the new website. It’s increasingly used on other websites - sometimes, it’s an option and sometimes required.
When you log in, enter your username (usually your email address) and password. Then, you’ll need to complete a second verification step: entering a token generated by an app on your smartphone. The token changes repeatedly and is different on each occasion you log in.
Why do we use 2FA?
If someone can obtain your username and password or gain access to your email address to reset your password, then without 2FA, they’d be able to log in to your account, obtain your personal information, and see and interact with other members, putting them at risk.
When 2FA is set up, the hacker cannot access your account unless they can enter the token. Without access to your smartphone, they cannot proceed.
In the testing stages, hackers made two attempts to log in. On both occasions, the hackers attempted to reset the password. However, they could not proceed further as the 2FA rejected the login attempts, keeping the members’ accounts and general membership safe.
What if I don’t have a smartphone?
We have made alternative provisions for members who do not have access to a smartphone capable of running the required apps. This takes the form of a memorable word or phrase.
However, recognising the security implications for others, we limit this login method to those who cannot log in using 2FA. These members may be unable to access the entire members’ area of the website. Additionally, no committee member or regional organiser who cannot use 2FA will be able to use the administration area.
Do I have to set it up for every device I use to access the website?
No! You only need the authentication application on one smartphone. You use the same smartphone app to generate the token code if you have multiple computers or use different devices to access the members’ area.
Do I have to enter the code every time I log in?
If you are using the same browser on the same device, you can tick the box to allow access for a 24-hour period. This means you won’t need to enter the token for subsequent logins on that day. If you switch browsers or devices, you’ll need to use 2FA for each of the devices/browsers.
As an aside, if you are using the alternative memorable word option, you’ll need to enter specified random characters on every occasion of logging in.
But there’s no 2FA on the existing site?
That’s true. The old website is relatively elderly in terms of website age and is vulnerable to the latest techniques used by hackers who seek to gain unauthorised access. We want the new website to be as secure as possible.
In addition, the new website allows you to administer your account online, which means entering your personal details. For example, if you’ve chosen to pay for your subscription using gift aid, you’ll enter your legal name and address. Such details aren’t recorded on the old website.
It takes too much time!
Yes, the initial setup does take a few minutes, and it takes a few seconds extra to open your smartphone app and enter a code when you log in. But being hacked can take hours or even months to sort out! It can lead to being outed, reputational damage and financial loss that you may not be able to recover. The extra few seconds to log in is worth it!
As an aside, it’s just as quick as entering specified random characters from a memorable word or phrase.
But I’m willing to take the risk!
You may be willing to accept the risk; in the same way, you may be happy to leave the windows open on your house when you go out or valuables on display in your car. However, decreased security on your account puts not just you at risk but other members and the society as a whole. In addition, the Beaumont Society has legal obligations to keep data safe under the General Data Protection Regulation (GDPR).