Today, we are proud to shine a spotlight on what we believe to be an industry first. A few months ago, we quietly rolled-out the ability to enable two-factor authentication (2FA) to all accounts, regardless of corporation size. Not just any 2FA mind you, the best kind – the Time-Honoured One-time Passcode (TOTP) flavour. We elected to implement TOTP rather than something easier such as sending codes via SMS due to our commitment to best practises.
It has been shown multiple times  that securing and recovering accounts using SMS can actually serve to decrease the security of accounts. This decrease has occurred due to attackers exploiting the humans in the customer service roles in telecoms providers. Such attackers have in the past successfully migrated the mobile numbers associated with accounts to SIM cards under their control and thus compromised the accounts. Two-factor authentication performed via TOTP can introduce slightly more friction to the account owner in contrast to SMS, however we belive the trade-off more than pays for itself.
Some may call our approach to account safety overkill for a rendering API. We disagree. We recognise the need and desire for the fabled “nine nines” of uptime and how your app depends on our services to deliver that to YOUR paying customers. We are proud to put into code our commitment to be a secure and enterprise friendly screenshot and PDF API provider and to further the spread of 2FA across the net! If you are already ready to go, salivating at the keyboard, just head over to the dedicated 2FA management page within your account and click the green button to get started!
Watch this space for our new enterprise related feature updates and witness our commitment to enterprise and indie builders alike.
We are looking forward to your feedback and other feature suggestions so please keep them coming. Get in touch via Twitter or Email to share your thoughts with us. Don’t forget to let us know if you would like to see any other forms of MFA – we are considering SSO support if there is the support for it!
Examples of bad 2FA: