Over the summer of 2022, we started making some changes to how two-factor authentication (2FA) works in ControlShift. These changes have allowed us to improve security, provide more modern features, and make two-factor authentication available to more users.
As part of this change, users who had previously enabled two-factor authentication via Authy will need to do a one-time setup step to switch to the new version. This should only take a few minutes, and we’ll provide step-by-step instructions.
Why is this happening?
When we first added two-factor authentication support to ControlShift back in 2015, it wasn’t nearly as common as it is today. Our original 2FA implementation used the Authy API, required users to provide a phone number, and supported SMS as an option for receiving tokens.
ControlShift has grown and changed over the past 7 years, and so has thinking about Internet security. SMS for 2FA is no longer considered a good security practice. Requiring a phone number can be confusing and raise concerns about mobile charges. The growing number of users interested in 2FA is a good sign that security is on everyone's minds, but has made the pay-per-request API model more expensive.
For all of these reasons, it’s time for us to shift to a new 2FA implementation. And as an added reason, the Authy API that we're currently using to provide 2FA will be shutting down within the next year. So it’s urgent that we get everyone switched over to the new 2FA method soon.
How do I know if this affects me?
If you log into your ControlShift account and go to My Account > Password & Security, you can see whether you have 2FA enabled. If you see “Two-factor authentication via Authy is enabled”, then you’re using the old 2FA implementation. From that same page, you can click “Switch to TOTP” to start the process of switching to the new implementation.
We'll also show a red banner on the org admin homepage if your account requires the update.
What will I need to switch to TOTP?
You’ll need an authenticator app, such as Google Authenticator or Authy. (Even if you want to continue using the Authy app, you will still need to go through the update process.) If you don’t already have one on your phone, you should be able to download an authenticator app from wherever you usually get apps.
When do I need to do this?
We expect the Authy API that we're currently using for our 2FA implementation to fully stop working in early 2023. Any user accounts that have not already switched from Authy to TOTP will then have 2FA disabled.
That said, don’t wait until next year! We encourage all users who have 2FA set up with Authy to switch as soon as possible.
If Authy is going away, can I still use the Authy app?
Yes, while the Authy API that we use to power 2FA is going away, the Authy app is not. You can use the Authy app as your authenticator app if you'd like. However, even if you'd prefer to use the Authy app as your authenticator app, you will still need to go through the switch to TOTP process if you see that message in your account.
As an analogy, the Authy API is like a card and the Authy app is like a wallet. We're asking you to request a new card (switch from the Authy API to TOTP) because the old one is expiring, but you're welcome to put the new card in your existing wallet (the Authy App).
Once I switch, can I still use SMS for two-factor authentication?
No. We’re discontinuing support for sending tokens via SMS, because it is no longer considered a good security practice.
Do I need an American phone number to use two-factor authentication?
No. The new (TOTP) 2FA implementation doesn’t require a phone number at all.
Can you walk me through the process step by step?
When you click to upgrade your account, we'll guide you through the process. The first step is to go to My Account > Password & Security and click "Switch to TOTP" or click "Update your 2FA" from the red banner on the org admin homepage. On this page you'll see a QR code and an alphanumeric code. Open your authenticator app (Authy, Google Authenticator, etc.) and click to add a new account. You can either scan the QR code or copy/paste the alphanumeric code. Once the new account is created in your app, you'll see a 6-digit code and a timer. Click "Continue" on ControlShift, and then enter that new 6-digit code into the box on ControlShift before the timer runs out on your app. Then click "Enable."
At this stage you'll be show the option of downloading security codes. We strongly recommend downloading the codes and storing them securely. If you lose access to your phone and authenticator app, these codes will be the only way of accessing your account. When you're done, click to continue, which completes the process.
The next time you log in you'll be asked to enter the 6-digit code from the newly-added account in your authenticator app. You will no longer be able to log in by requesting an SMS code.
What is TOTP, anyway? Where can I read all the technical details about it?
TOTP stands for Time-based One-Time Password. It’s an industry standard for 2FA. The basic idea is that ControlShift and your authenticator app both know a certain secret number, and can do some math with that secret number and the current time to produce an unguessable six-digit token. If a malicious actor is listening in and tries to copy your six-digit token, they won’t be able to reuse it to log in to your account.
If you want all the low-level technical details, RFC 6238 spells out the specification for TOTP.
Where can I read about two-factor authentication more generally?
More information about 2FA is available in this help center.
I have questions or concerns, can you help?
Yes. Send us a support email with your question, and we'll get you an answer.
Please sign in to leave a comment.