Two-Factor Authentication

Fork me on GitHub

tl;dr: Tinfoil Security now has two-factor authentication, and with our open source gem, you can too.

Here at Tinfoil Security, we spend a lot of time thinking about how to empower our users to keep themselves secure. Until a few weeks ago, we only offered a single-factor login solution for our users, and in this age of rampant password-theft, that just wouldn't cut it.

Two-factor authentication adds one more step to logging in, after you've put in your password, which helps prove you are who you claim to be. Just as an ATM requires you to have knowledge of a PIN and possession of a physical card, two factor authentication requires you to have both knowledge of a password and access to a temporary code that can only be generated by your physical device. In our case, that device is a smartphone running an application like Google Authenticator.

We audited a few existing two-factor authentication gems for Ruby on Rails, and none of them seemed to fit our requirements - we needed a solution which wouldn't interfere with our other access-policies (API and SAML, primarily), while also being flexible enough to integrate into our existing login-flow. Rather than rewrite large swathes of existing code, we opted to instead build our own gem, and after using it for a few weeks in production, we've decided to open source it! We're hoping that the ease of integration will drive other developers to further-secure the apps we already love.

With that, we'd like to announce devise-two-factor, a plugin for Devise which abstracts away all of the messy authentication details for you, so that you can simply focus on integrating the functionality into your UI. It plays nicely with all of your existing Devise configuration, and aside from the frontend (View generators are on the very long TODO list), it can be installed with one quick call to a generator.

You can see the gem in action at https://www.tinfoilsecurity.com, after enabling two-factor authentication from your settings page.

We understand that cryptography is hard, and implementing a complicated system like two-factor authentication is no different. As Shubham Shah demonstrated last week, there's plenty that can go wrong, and that's why we need to work together to solve hard problems like this; next time you think about implementing two-factor authentication, think about letting our gem do the thinking for you.

As with any of the other open source projects here at Tinfoil, pull requests are welcome. We hope this gem helps remove some of the stumbling blocks that keeps companies from offering two-factor authentication and keeping their customers secure. Enjoy.


Shane Wilton

Shane Wilton is the Grand Magistrate of Security at Tinfoil Security, and the company's resident programming language theorist. When he isn't coding in a functional language like Elixir, he's probably hacking on an interpreter for an esolang of his own, or playing around with dependent types in Idris. Security is always at the forefront of his thoughts, and he enjoys building tools which make it easy for other engineers to write secure code. His love for security is matched only by his love for bad movies - and does he ever love bad movies.

Tinfoil Security Blog

Tinfoil Security provides the simplest security solution. With Tinfoil Security, your site is routinely monitored and checked for vulnerabilities using a scanner that's constantly updated. Using the same techniques as malicious hackers, we systematically test all the access points, instantly notifying you when there's a threat and giving you step-by-step instructions, tailored to your software stack, to eliminate it. You have a lot to manage; let us manage your website's security.