New Backblaze Security Features

By | October 3rd, 2017

How to Use Two Factor Authentication on Backblaze

Today, we are pleased to announce two new security features for Backblaze. Security is a top priority at Backblaze, and we are fully committed to, and proactively invest in, keeping our users secure.

In 2015, we added additional features such as two-factor verification via SMS, which enables customers to use a mobile device to verify their identity when accessing their accounts. Earlier this year we added the ability to use mobile authenticator applications such as Google Authenticator and Authy, providing an additional method for two-factor verification. Authenticator apps provide convenience and an additional layer of access security to accounts should the user have internet access but not cell phone carrier access.

Why Enable Two-Factor for Your Backblaze Account?

We have built our cloud backup and storage products with best-in-class security. As you may know, however, users sometimes unknowingly use practices that provide a point of access they didn’t intend — such as using the same credentials for more than one account or website. By enabling two-factor, you create a level of protection for your account that is much harder to penetrate, even for someone who has somehow obtained your credentials. It’s a smart precaution and should be used on every account where the option is available.

We are the only backup company that provides this level to security to all our customers, no matter what type of account they have. We strongly encourage all our users to use two-factor authentication for their Backblaze accounts.

What’s New?

This week we added two new features that further enhance Two-Factor Verification, Fallback to SMS and Backup Codes. These features are available to all our customers on all accounts, and make our already strong account security even better.

Two-Factor Fallback to SMS

Previously, users could select to have an SMS message sent to them to verify their identity whenever they signed into their account. Some users prefer the convenience and security of an authenticator app, but if they lose access to their phone, would be unable to verify their identity. For these users, we now add “Fallback to SMS,” which will enable the user to request an SMS message to verify their identity as an alternative to not having the authenticator app.

Two-Factor Backup Codes

What happens if you’ve chosen to use Two-Factor Verification using an authenticator app or SMS and you’ve lost access to your phone and the ability to receive an SMS (or don’t wish to use SMS)?

That’s where Backup Codes come in. By selecting “Get backup codes” on your account settings page, you will receive 10 codes that you can use to verify your identify when you sign into your account. You can copy these codes to a password manager, a notes program, or a file on your computer. Each of these codes can be used only once. If you use up all ten, or wish to revoke them, you can request a new set in your account settings.

Be aware that each of these backup codes gives someone with your credentials access to your account. We strongly recommend using a password manager or another secure location to keep these codes safe. When you select a new set of codes, your previous set will be invalidated, so be sure to replace the old backup codes you’ve saved with the new ones.

Here’s How It Works

Let’s say you’re trying to sign into your account and you’ve previously activated Two-Factor Verification with an authenticator app. For whatever reason, you don’t have access to your mobile device with the authenticator app.

This is the dialog you would see after entering your email and password.

Two Factor Verfication sceenshot

Without access to your authenticator app — and either Two-Factor Fallback to SMS or Backup Codes — you would be at a dead-end. You could not access your account.

But, if you have these new options, Fallback to SMS and/or Backup Codes, activated in your account, you would be able to select “Other Options” at the bottom of the dialog. This is the dialog you would see.

Alternative Sign-In Recovery screenshot

You can now request that a code be sent to you via SMS (if you have that ability), or you could use one of your unused Backup Codes to sign into your account.

How to Enable These New Options

To enable one or both of these new options, sign into your Backblaze account. From the Overview page, select “My Settings” under Account.

In the middle of the “My Settings” page, you will see the section entitled, Security. Select “Sign In Settings” on the right side.

Backblaze My Settings screenshot

In the Sign In Settings dialog you can select your preferences for Two-Factor Verification. If you are using an authenticator app, we suggest you select “Allow fallback to SMS.”

Backblaze Sign In Settings screenshot

Select Update and exit the dialog.

You are now back in the “My Settings” dialog. In the Security section, select Get backup codes to use if you lose access to your phone.

You will be asked if you wish to receive new backup codes. Select “Yes, Get New Codes.”

Backup Codes instructions

You will see a dialog containing 10 10-character alphanumeric codes. You should copy these codes to a safe place.

Example of Backup Codes

(No, these aren’t real codes — we knew you would ask.)

The ability to receive an SMS code or to use a backup code ensures that you will be able to verify your identify and sign into your account even if you don’t have your mobile device or access to a cell network.

Backup Codes Also Aid Estate and Emergency Planning

It’s a digital world now and we all need to plan for how our family and trusted others will access our online accounts and data if we are incapacitated or deceased. You can give your credentials and backup code(s) to someone you trust who might someday need access to your Backblaze account.

Some password manager applications, such as LastPass and 1Password, let you configure emergency access to your account credentials, account numbers, and other important information should that become necessary. This is a great place to store your Backblaze credentials and FallBack Backup Codes so they are available to your trusted contacts should that become necessary.

Backblaze Advises All Customers to Use Two Factor Verification with Fallback

If you haven’t already turned on Two-Factor Verification in the first place, go to the Sign-In Settings dialog in your Backblaze account and enable Two-Factor Verification.

Backblaze Two Factor Verification screenshot

After you’ve done that and you’ve also selected one or both fallback options described above, you’re all set.

Please let us know if you have any questions about these new security features or best practices for protecting your online accounts and digital assets.

Roderick Bauer

Roderick Bauer

Content Director at Backblaze
Roderick enjoys sailing on San Francisco Bay, motorcycling, cooking, reading, and writing about tech and culture. He is Content Director for Backblaze.

Follow Roderick on:
Twitter: @rodbauer | LinkedIn | Google+ | Medium | Flickr | SmugMug
Category:  Backing Up
  • SlvrScoobie

    Just had to do this the other day. Tech support had to reset my two step because i had to swap out a phone and lost the authenticator app. This is excellent!

  • reeckyle

    I was a bit disappointed when read the post. They are useful but what I’d want is:
    *Software password.
    *Not leaking my encryption key to Blackblaze when you restore. Yes, you can use an encryption file but if you lose it you’re screwed. Add a third option and do it locally/in software like CrashPlan does. Though I guess that’d require you to invest money in software development which you don’t seem to do.

    • Pete S.

      Although not really a drop-in replacement, have you considered using something like Arq Backup or Duplicati as a backup client with Backblaze B2 as the storage target? You don’t get the “$5/unlimited storage” option of Backblaze’s normal backup service, but the costs are low and data is encrypted locally on your computer prior to being backed up to Backblaze B2 and decrypted locally for restoration.

      If the security of your backups is the primary concern, that might be worth considering.

  • sashk

    Finally. Thank you.

    Only suggestion I have, when generating backup codes, suggest user to switch to the authentication app (and list few supported, like Google Authenticator, Authy or 1Password). That would help to move from not very secure text messages.

  • Kolonel Panik

    Unless I am misunderstanding this, which is not unlikely, the Fallback to SMS option is an open invitation to losing control of our data. SMS alone is not appropriate for pw recovery. It is a climb-down, not a fallback!
    It’s OK for second factor verification, but not as an alternate for authentication.
    In other words, if SMS is used IN CONJUNCTION (“and”) with a password, that’s OK, but if used INSTEAD (“or”) of a forgotten password (e.g, an SMS one time code), that is RIDICULOUS, because SMS is essentially open to anyone who cares to intercept it with e.g., a software-defined radio. Please set me straight.

    • The Fallback to SMS or Backup Codes are two options to replace the 2nd factor of the two-factor authentication. The first factor remains the email and password for your account. If you lose access to your authenticator app, you have the option to use one of these as the second factor. Some users prefer not to use SMS, we I would suggest to them to use Backup Codes, instead.

      • Kolonel Panik

        Understood, and I’m suggesting that BB should make it very clear what the stakes are, which you have not. The Backup Codes are great. SMS is not great, and those who “prefer not to use SMS” likely have well informed reason not to. Why leave the benighted in the dark?
        Note that losing your authenticator app usually means losing your SMS registered phone as well, so the Backup Codes option, written down and secured on your person and/or at home and/or some other safe place (safe deposit) is the actually secure second factor recovery option. I think.

        • Brian Timothy Herlihy

          The majority of us don’t have interception of SMS as an issue we’re likely to deal with. This would be more for those being targetted by governments, corporations or organized crime. I don’t think it’s something that Backblaze would be expected to be discussing here.

          The fundamental thing here is to use security that is appropriate to the expected threats. Most people only need to protect against casual criminals, and should use a level of security that protects against that. I can require two people with physical keys to open my secure safe with my Gmail password in it, but that wouldn’t be appropriate.

          • The issue with SMS isn’t so much direct interception (it’s encrypted over-the-air), but rather having your phone number taken over. It’s fairly easily to have your phone number moved to a new SIM card just by calling the cell provider’s customer service and providing details such as name, address, and SSN (especially since the recent Equifax breach and other prior similar breaches). If your cell phone ever suddenly stops working, it’s a good idea to call your carrier immediately.

          • Jared Caputo

            It’s actually considerably harder, at least in the United States, at the time of writing, to take over a phone number at the major carriers (I know Verizon, AT&T, and T-Mobile first hand, but not Sprint). I know that my own account has extensive protections that should prevent that. Of course, that advice should be followed — if it ever stops working, call immediately.

            On the contrary though, SMS is incredibly easy to intercept. Look up SS7. The transmission with your cell carrier may be encrypted, but after that (or before that, if Backblaze is sending out, once their message reaches the SMS provider), you’re completely vulnerable.

          • Kolonel Panik

            Exactly, thank you Jared. Like honest answers to “security questions,” SMS codes are convenient principally to the service provider. because it’s essentially automated and fast, and doesn’t upset the careless yet demanding customer; but it’s a serious compromise. Herlihy apparently willing to take the risk, fine, whereas I am saying that BackBlaze should properly apprise users of the risk.

          • SEK

            Unfortunately many service providers opt out encryption on signalling, to enhance speed of connecting subscribers. SS7 was developed during 1960:s and 1970:s for signalling between fixed line exchanges. It was only intended for use on dedicated land lines between exchanges, no risk for eavesdropping there. Digital mobile telephony GSM, CDMA and TDMA, just adopted it for setting up calls, then someone cracked the idea to use the same channel for free Short Message Service. and voila the situation we have now was created. .

      • Pete S.

        For those willing to have even higher security at the cost of a bit more money and time, I’d love to have an option where access to an account (particularly B2 accounts, which may have corporate data) can only be reset after Backblaze physically mails a registered letter with a one-time password to the account owner’s mailing address on file.

        I’d happily keep a few bucks of credit in the account to cover processing and administrative costs in such an event. Alternatively, I’d be willing to pay a one-time fee over the phone (or from a public page not requiring one to log into an account) for this, so long as the letter gets sent only to the on-file address and not to the cardholder’s billing address.

        The physical security of registered mail is quite high, and the security benefits of sending a letter to only the address already on file with Backblaze would eliminate the possibility of a bad guy having the letter directed to them instead.

  • Brett

    Thank you for continuing to update the security features that BackBlaze offers! One suggestion, offer server level encryption on your B2 servers as an option. Thanks again!

  • DDF

    Excellent, thanks for implementing. Nicely done.