ForumsNews2-Step Authentication and other security enhancements


2-Step Authentication and other security enhancements
Author Message
Jake

Toodledo Founder
Posted: Apr 29, 2014
Score: 0 Reference
Today we are announcing 2-Step authentication for Toodledo, which is a way to greatly increase the security of your account by requiring your password plus a one-time code that is generate on your phone. A hacker would need to physically have your phone in order to sign into your account. You can enable this in your account settings.

We have also been working on other security enhancements this year, including the following:

1) You may have heard about the Heartbleed vulnerability a few weeks ago. When it was revealed, we immediately checked all of our servers and determined that we were never affected by Heartbleed, so no action by us was necessary and no action is needed for our customers. That said, it is always a good idea to change your passwords on a periodic basis, and to avoid reusing the same password on multiple sites.

2) Over the last 6 months we have spent a considerable amount of effort implementing "at rest data encryption". This means that your data is encrypted in our database on our servers. So if a hacker ever got access to our database, they would just see gibberish and would not have access to your private data. Much of our user's data is now encrypted in this way and we plan to encrypt more as we are able.

3) We have implemented password guess throttling. If someone tries to sign into your account too many times with an incorrect password, your account will be locked for a period of time. This is to prevent a hacker from trying a million different passwords to sign into an account.

4) We have implemented some protections against clickjacking, cross-site-scripting and cross-site-request-forgery attacks.
pjlewis

Posted: Apr 29, 2014
Score: 1 Reference
Thanks Jake for keeping our stuff safe.
dannyw0011

Posted: Apr 29, 2014
Score: 0 Reference
I’m very much interested in 2-step authentication; however, I have a couple of questions before attempting to implement it.

1) How do you get the phone app that generates and displays the one-time code? And is there an app for both iPhone and Android?

2) I use Ultimate ToDo List on my Android phone. Until it upgrades to support 2-step authentication, how would I go about setting up an application specific password (as opposed to the normal Toodledo password)? Is this set up within Toodledo or UTDL?
Jake

Toodledo Founder
Posted: Apr 29, 2014
Score: 0 Reference
1) When you setup 2-Step authentication in the settings section, it will walk you through getting the app. There are apps for both iOS and Android.

2) After you setup 2-Step authentication in the settings section, there will be an option for creating an app specific password and it will explain how to use it with Ultimate ToDo list or any other app you may be using.
Nick

Posted: Apr 30, 2014
Score: 0 Reference
Howdy Jake,

Thank you for rolling this out, although Google authenticator is getting a bit full!

Any timeline for Toodledo on iOS to support 2FAC?
kleerkoat

Posted: Apr 30, 2014
Score: 1 Reference
Thanks for keeping users informed. Your policy of being transparent is appreciated!
Jake

Toodledo Founder
Posted: Apr 30, 2014
Score: 0 Reference
We are working on updating our iOS app to support it. For now, please make an app specific password for the iOS app.
Kiko

Posted: May 01, 2014
Score: 0 Reference
Thank you very much for the improvements.

I'm new to 2-factor authentication, so what are the common procedures if 2-factor authentication is activated and I have my cellphone stolen or lost? Is there a specific password to get access to the site in this case? Do I have to e-mail support?

Thanks in advance!

Best Regards.


This message was edited May 01, 2014.
Jake

Toodledo Founder
Posted: May 01, 2014
Score: 0 Reference
If you lose your phone, you can disable 2-step authentication by having Toodledo send you a confirmation email with a special link inside.
pquinn2714

Posted: May 01, 2014
Score: 0 Reference
I have activated 2 Step Activation twice. Each time after I do so successfully it appears in my settings as DISABLED. Not sure why it won't stay as activated.
Jake

Toodledo Founder
Posted: May 01, 2014
Score: 0 Reference
Can you please create a support ticket for this so that we can look into your account and see what the problem is?

Thanks
You cannot reply yet

U Back to topic home

R Post a reply

To participate in these forums, you must be signed in.