CloudFlare, the popular website security and CDN service, suffered an embarrassing security breach earlier this year when the company’s CEO’s Gmail account was hijacked, giving the hacktivist group UGNazi access to a customer’s account and the service. Even though CloudFlare CEO Matthew Prince used Gmail’s two-factor authentication, the hackers used some smart social engineering to work around this. After this incident, CloudFlare promised to soon offer two-factor authentication for its own login system as well and today, the company is launching this new system.
As Prince told me yesterday, the company spent a lot of time researching the different options for enabling this feature and finally settled on working with Authy, a Y Combinator-backed startup that launched out of the accelerator’s last summer program. Internally, CloudFlare has been testing Authy for its own admin system for the last three months and it’s now ready to distribute it to its users.
As Prince also writes in today’s announcement, the company considered a number of other solutions, including Google Authenticator, but the CloudFlare team “nervous about handing another key to identity over to a company whose primary business is search and advertising.” The fact that the last security breach was due to a flaw in Google’s system clearly didn’t help here either.
Prince says CloudFlare also considered a fob-based system, but this idea was rejected because of the cost of giving one of these to all of the company’s customers.
CloudFlare says Authy has “created a beautiful, simple, elegant app that implements TOTP [a time-based one-time password algorithm].” The system works pretty much like Google Authenticator, and because codes are only valid for about 30 seconds, an attacker who managed to get a hold of one of these in time (which is difficult enough) generally won’t have enough time to gain access to an account.
Getting started with two-factor authentication is easy enough, so if you are a CloudFlare user, head over here to get started (and if you are a Gmail user who doesn’t use two-factor authentication, head over here and make sure your account is safe, too).