You can now secure your Raidboxes account with two-factor authentication (2FA). This article explains why 2FA is such an effective security measure for WordPress, your login to Raidboxes Dashboard or other access points and how two-factor authentication works.
The nightmare of unauthorized logins
Our lives increasingly take place online. If someone were to gain access to one or all of your accounts, it would be a absolute nightmare. Just imagine if a company you trusted with your financial or personal information got hacked or a data leak became public. Fortunately, it's not just online criminals who've become more resourceful - cyber security to protect against attackers is also improving. And the latest in security includes two-factor authentication (2FA).
As WordPress host, security is a particularly important issue for us and we are constantly working on integrating new security features. To make Raidboxes Dashboard even more secure, two-factor authentication is now available to our customers.
What is 2FA and why is it so important?
To best explain why two-factor authentication is so important to data security today, let me first tell you what 2FA isn't.
First of all, 2FA is not a password. Well, not really. If you talk to experts, they'll probably tell you: "the days when a password was enough to prevent unauthorized access to your website are long gone - if it ever worked well at all."
And why were passwords not enough? Human error.
Carelessness when choosing a password
A recent analysis looked at over 1.4 billion hacked passwords and found that many of them are shockingly simple. Quite a number of people were even so careless that they used "11111", "12345" or the good old "password". Anyone using such a password shouldn't be surprised about hacked accounts. If you want to know exactly which passwords are most commonly used and how long it takes to crack them, check out the "Top 200 most common passwords of the year 2020" from Nordpass.
Another issue we need to remember is people recycling passwords. With dozens of apps, accounts, websites and devices demanding credentials from us, it takes a lot of effort to remember different passwords for all of them. But if you use the same password for multiple - or even all - of your accounts, you're taking a huge risk. If anyone manages to crack one of your accounts, they automatically have access to the rest of them too.
Getting started with 2FA
At first glance, two-factor authentication looks like a typical login process. To gain access to a website or app, you'll be asked to enter your username and password. But that's just the first step. After that, you'll be asked for one more piece of information - in addition to your username and password. Most of the time, this additional information is from one of these categories:
- Personal knowledge: In addition to the password, you will be asked for other information that only you know - for example, a PIN, answers to previously answered "secret questions" or an unlock pattern on the phone display.
- Real-world information: You are asked for information that only you can retrieve - for example, a time-sensitive code sent to your email address or via SMS.
- Biometric information: For example, you may be asked to provide a fingerprint, retina scan, or voiceprint.
Two-factor authentication means that no single password is enough for hackers to crack your login. Using 2FA means that if you lose your phone or your password is stolen, cyber criminals can't access your data without knowing, for example, the name of your first pet or the street you grew up on.
Two-factor authentication and WordPress security
There's a reason why it's usually large companies that are attacked by hackers: they hold a huge amount of data. WordPress accounts for 64 percent of the CMS market, making it an environment where a security breach can deliver a whole lot of data.
Did you know that almost 40 percent of all websites run on WordPress ? That's a lot of websites for hackers to probe for vulnerabilities.
Another reason WordPress attracts hackers is the popularity of the content management system. Because WordPress is so easy to use, you can get your website up and running without much previous experience. There are quite a few relatively inexperienced WordPress users out there whose websites aren't properly secured, not updated and thus provide excellent backdoors for attackers.
How to create strong passwords
First and foremost, you should use strong passwords. But how do you find a good password that you can still remember? How-To Geek Editor in Chief Chris Hoffmann has a great tip for you:
"You might find it easier to remember a sentence like 'The first house I ever lived in was 613 Fake Street. Rent was $400 per month.' You can turn that sentence into a password by using the first digits of each word, so your password would become TfhIeliw613FS.Rw$4pm. This is a strong password at 21 digits. Sure, a true random password might include a few more numbers and symbols and upper-case letters scrambled around, but it's not bad at all.”
However, your passwords should not only be secure, but also unique. With a corresponding number of accounts, your memory will be put to the test. But don't worry: There are many password managers that not only manage your passwords, but also generate unique, complex passwords for each new account. But again, passwords are limited in their ability to protect your hard work and your data. So let's get back to two-factor authentication.
How does two-factor authentication work?
This is the original form of 2FA, where you receive a key fob that generates a new code every 30 seconds. When you want to log in to the corresponding website, you check the current code and enter it. Another form is a USB key that automatically enters a 2FA code into the computer when plugged in.
These hardware options are better than no 2FA at all, but unfortunately not much better. Because they are easy to lose, expensive for companies to produce and distribute, and definitely not impossible to hack.
SMS and voice 2FA
With this variant of two-factor authentication, you log in with your name and password and then receive an SMS or voice message with a unique passcode (OTP). You must enter this to complete your login. This type of 2FA is widely used, although it is not yet the ideal solution. In 2017, for example, a group of white-hat hackers managed to "hijack" a Bitcoin wallet by intercepting 2FA SMS.
By far the most popular form of 2FA today is the use of a time-based one-time password (TOTP) generated by a software program, also called a "soft token".
With this method of two-factor authentication, you first download a free 2FA app - on your smartphone or computer. Once installed, this app will work with any website that supports TOTP authentication. Once you've enabled 2FA via TOTP for one of your logins, you simply sign in with your username and password. You'll then be prompted to enter a code that will be sent to the app you have installed. This code usually expires after 60 seconds.
As the code is generated and displayed on the same device, there's no chance of hackers intercepting it. Moreover, these apps also work offline. So unlike 2FA via SMS, you're not dependent on your mobile network.
2FA push notifications
Another increasingly common version of 2FA is push notifications. The way these work is that you get a notification from websites and apps when there's a login attempt. You simply confirm or decline with one click - et voilà - you're logged in without any additional passwords or tokens.
However, this version of 2FA only works if you and the website have a direct, secure connection.
Which 2FA app can you use?
There are countless apps that you can use for the TOTP authentication described above. To clear the jungle a bit, I have brought you two examples:
If you use Android, for example, the app andOTP is a good choice. It offers the possibility to set a password to open the app and to create and encrypt backups. For example, whenever you add or remove a new service, you can back up an encrypted backup to your private cloud, so you won't have a problem when you change your mobile device. The integration with 1Password or other password managers also works with andOTP without any problems.
Since andOTP is not available for iOS, Twilio Authy is a good choice for Apple users. The advantages: Authy offers service backups in the iCloud or via Google Drive and is regularly subjected to intensive security tests.
In addition, you can generate TOTP codes with most password managers. If you use 1Password, for example, this step-by-step guide will help you.
Two-factor authentication for Raidboxes
From now on, you can activate two-factor authentication for a Raidboxes account in addition to your normal login. If 2FA is active, you have to enter another code in addition to your password when logging in to RB-Dashboard . You can choose to have this code sent to you by e-mail, SMS or via an authentication app.
The use of the 2FA feature is free of charge and optional for all Raidboxes customers. However, we strongly recommend that you activate this additional protection. After all, a person who logs into your Raidboxes account without authorisation would not only have access to your data, but also to that of your customers - for example, if you manage customer sites as an admin.
2FA via app, mail or SMS
Two-factor authentication is possible at Raidboxes via three methods:
- App: To use our 2FA feature, you can use any authenticator app that supports TOTP. For example, we recommend andOTP (for Android) or Authy (for iOS).
- E-mail: If you want to use 2FA via email, you will receive your authentication codes at the email address you are registered with at Raidboxes .
- SMS: If you have at least one paid contract, you can also use 2FA via SMS. (The mobile phone number you provide is not stored in our system. We can therefore not see which number you use for 2FA).
After you have activated the two-factor authentication for your Raidboxes account (we explain how to do this in this help article), you will have to enter an additional code when logging in, which will be sent to you via the method you have selected.
You also need to enter a 2FA code to deactivate the feature. Should you ever lock yourself out of your account, simply contact our support via live chat.
For whom does the 2FA at Raidboxes apply ?
You can activate the two-factor authentication with just a few clicks in your account settings. Please note that the 2FA protection with Raidboxes only applies to the account for which you have activated it - not for individual Boxesor their admins.
However, in order to protect your data (and that of your company) as best as possible, we strongly recommend that all users secure their Raidboxes access with 2FA.
And what about 2FA for WordPress?
At this point we would like to point out that our 2FA feature only applies to your Raidboxes account and not to your WordPress login. However, there are many 2FA WordPress plugins that you can use to secure your WordPress login.
These include, for example, the plugin "Google Authenticator - WordPress Two Factor Authentication" with over 20,000 active installations. Or "Two Factor Authentication" - also with over 20,000 users - from the makers of the popular backup plugin "UpdraftPlus". You can easily find more 2FA plugins in the official WordPress plugin directory or in your WordPress Dashboard under Plugins > Install.
We are proud to announce that Raidboxes Dashboard is now even more secure for our users thanks to two-factor authentication. Even though the activation of 2FA is not obligatory for us, we hope that the advantages mentioned have convinced you. Because by additionally requesting a 2FA code, your account gets another level of security and you ensure that your data (and those of your customers) are even better protected against unauthorised access.
We appreciate your input!
If you have further questions about two-factor authentication or about using the 2FA feature at Raidboxes, please leave us a comment - or contact us in our live chat!