Two Factor Verification via Auth Apps

July 14th, 2017

totp authentication

Security is something we take very seriously at Backblaze. All Backblaze backups occur over HTTPS, are encrypted, and we even have private encryption key functionality available for those who wish to add another layer of protection. In 2015, we added two-factor verification (“2FV”) via SMS to our service, which allowed customers to use a mobile device to verify that they were indeed the ones accessing their Backblaze accounts. Today we are announcing our latest step in helping customers protect their Backblaze accounts – two factor verification via authenticator applications like Google Authenticator and Authy. To enable that, we now support the “ToTP” protocol.

What is ToTP?

ToTP stands for Time-based One Time Password, and it allows customers to use service like Google Authenticator, Authy, or others to access their accounts in a more secure way. This is the underlying authentication algorithm for the vast majority of authentication apps on the market today. A user that has ToTP enabled can use their authentication app of choice for an added layer of security. Users will first log in with their account’s username and password, the incremental layer of security happens next – the authenticator app will generate a time sensitive password that is valid for only one use.

For a lot of people receiving SMS messages is cumbersome, and doesn’t always work. Now Backblaze users can choose 2FV via SMS or authentication app.

Enabling Two-Factor Verification:
When you log in to your Backblaze account, on the left-hand side go to “My Settings”, and navigate towards the middle of the page where you will see your “Sign-In Settings”, click on that to make the change.

Backblaze 2FA setup

If you haven’t already, you will need to enter your phone number to enable two-factor verification.
ToTP SMS message

Once done, you will be able to select the frequency at which Backblaze will ask for an advanced authentication method, and you will be able to select your desired method, Two-Factor Verification via SMS or App.
ToTP authorization

That’s it! We hope you like it!

Yev

Yev

Chief Smiles Officer at Backblaze
Yev enjoys speed-walking on the beach. Speed-dating. Speed-writing blog posts. The film Speed. Speedy technology. Speedy Gonzales. And Speedos. But mostly technology. He also runs social for Backblaze.

Follow Yev on:
Twitter: @YevP | LinkedIn: Yev Pusin | Google+: Yev Pusin
  • Pingback: What Does Phishing Mean and How Do You Protect Against It()

  • mcfedr

    Seems to be a step forward, but given that I can choose either sms or app I’m reluctant to enable. Every other site with 2FA lets me use the app, but have sms as a backup (or recovery codes) so that if I lose my phone I can still get in.

  • Hey, is there an option for a recovery code? I’ve been lucky enough to not have LOST my phone yet but if I do how do I log back in again?

    • Not at the moment, if you do lose the auth device, please contact support!

  • thomashouseman

    So if SMS Authentication is already enabled, you need to disable it and re-enable to use google auth?

    • No, you can just select ToTP w/ Auth Apps and set that up, then select which one you’d like to use.

  • Jonah Horowitz

    I love that you guys are doing this! It would be awesome if you started to support U2F at some point.

  • Phil Taylor, The Joomla Expert

    Nothing to be proud of – just means you are years behind the rest of us when it comes to implementing the most basic account security – something that can be implemented in less than an hour from dev to live.

  • Nate Barbettini

    I’ve been waiting for this, thanks! While you’re at it, Yubikey/U2F as a second factor would be fantastic.

    • Glad you like it!

    • thomashouseman

      Agreed. Yubikey/U2F all the way please!

  • Pingback: Backblaze unterstützt nun auch die 2FA via App – mkln.org()

  • John Kemp

    A quick FYI: scanning the QR code in Authy doesn’t fetch your logo or company name, so we get the default key icon and a name of “Generic Blue”. The description ends up “Backblaze:[email address]” so we can at least identify it in the list, but it’d be nice for it to be set up properly :)

    • Thanks John – we’ll forward the feedback to our devs.

  • Pingback: Two Factor Verification via Auth Apps – Akshaya IT Services()

  • Tim

    I noticed that you don’t offer a recovery code here. What is Backblaze’s fallback plan for getting in the account in case of Authy or Google Authenticator going away?

    • Hey Tim! You’d need to contact support if you lose the authentication device.

      • Tim

        That works! So long as support can safely verify it’s the right person calling I’m happy with that. Thank you for implementing this – my stuff in B2 feels safer already :)

        • Phil Taylor, The Joomla Expert

          this allows social engineering hacks … made easy… :-(
          as PayPal have proved over the years…

  • Lucas Cantor

    So happy to see this! Thank you so much for listening ❤️🔒📁

  • Mxx
    • Will do! We let support know this morning it was going live and they’ll be updating the documentation soon!

  • Gergoe

    Great!

  • Stefan Seidel

    Finally! Thank you. Always having to wait and request the SMS a second time was getting annoying. Now if you could add “autocomplete=off” to the 2FA input field I couldn’t be happier. :-)

    • Hah, we’ll let the devs know :P

  • Bacobits

    Question – if I enable google authenticator, does this impact the backup agent login, or just logins via web?

    • Just logins on the web!

      • Lambós Józsi

        Going to enable ASAP

      • Bacobits

        Thanks!