You can now secure your RAIDBOXES account with two-factor authentication (2FA). Why 2FA is so effective as a security measure for WordPress , your login to the RB dashboard or other of your accesses and how two-factor authentication works, we explain in this article.
The nightmare of unauthorized logins
Our lives increasingly take place online. If someone were to gain access to one or all of your accounts, it would be a absolute nightmare. Just imagine if a company you trusted with your financial or personal information got hacked or a data leak became public. Fortunately, it's not just online criminals who've become more resourceful - cyber security to protect against attackers is also improving. And the latest in security includes two-factor authentication (2FA).
As WordPress host, security is a particularly important issue for us and we're constantly working on integrating new security features. To make access to your RAIDBOXES Dashboard even more secure, two-factor authentication is now available to our customers.
What is 2FA and why is it so important?
To best explain why two-factor authentication is so important to data security today, let me first tell you what 2FA isn't.
First of all, 2FA is not a password. Well, not really. If you talk to experts, they'll probably tell you: "the days when a password was enough to prevent unauthorized access to your website are long gone - if it ever worked well at all."
And why were passwords not enough? Human error.
Carelessness when choosing a password
A recent analysis looked at over 1.4 billion hacked passwords and found that many of them were shockingly simple. Quite a few people were even careless enough to use "11111", "12345" or the good old "password". Anyone using such a password shouldn't be surprised at hacked accounts. If you want to know exactly which passwords are most commonly used and how long it takes to crack them, check out Nordpass' "Top 200 most common passwords of the year 2020".
Another issue we need to remember is people recycling passwords. With dozens of apps, accounts, websites and devices demanding credentials from us, it takes a lot of effort to remember different passwords for all of them. But if you use the same password for multiple - or even all - of your accounts, you're taking a huge risk. If anyone manages to crack one of your accounts, they automatically have access to the rest of them too.
Getting started with 2FA
At first glance, two-factor authentication looks like a typical login process. To gain access to a website or app, you'll be asked to enter your username and password. But that's just the first step. After that, you'll be asked for one more piece of information - in addition to your username and password. Most of the time, this additional information is from one of these categories:
- Personal knowledge: In addition to the password, you will be asked for other information that only you know - for example, a PIN, answers to previously answered "secret questions" or an unlock pattern on the phone screen.
- Real-world information: You are asked for information that only you can retrieve - for example, a time-sensitive code sent to your email address or via SMS.
- Biometric information: For example, you may be asked to provide a fingerprint, retina scan, or voiceprint.
Two-factor authentication means that no single password is enough for hackers to crack your login. Using 2FA means that if you lose your phone or your password is stolen, cyber criminals can't access your data without knowing, for example, the name of your first pet or the street you grew up on.
Two-factor authentication and WordPress security
There's a reason why it's usually large companies that are attacked by hackers: they hold a huge amount of data. WordPress accounts for 64 percent of the CMS market, making it an environment where a security breach can deliver a whole lot of data.
Did you know that almost 40 percent of all websites run on WordPress ? That's a lot of websites for hackers to probe for vulnerabilities.
Another reason WordPress attracts hackers is the popularity of the content management system. Because WordPress is so easy to use, you can get your website up and running without much previous experience. There are quite a few relatively inexperienced WordPress users out there whose websites aren't properly secured, not updated and thus provide excellent backdoors for attackers.
How can you protect your WordPress website?
First and foremost, you should use strong passwords. But how do you find a good password that you can still remember? How-To Geek Editor in Chief Chris Hoffmann has a great tip for you:
"You might find it easier to remember a sentence like 'The first house I ever lived in was 613 Fake Street. Rent was $400 per month.' You can turn that sentence into a password by using the first digits of each word, so your password would become TfhIeliw613FS.Rw$4pm. This is a strong password at 21 digits. Sure, a true random password might include a few more numbers and symbols and upper-case letters scrambled around, but it's not bad at all.”
However, your passwords should not only be secure, but also unique. With a corresponding number of accounts, your memory will be put to the test. But don't worry: There are many password managers that not only manage your passwords, but also generate unique, complex passwords for each new account. But again, passwords are limited in their ability to protect your hard work and your data. So let's get back to two-factor authentication.
How does two-factor authentication work?
This is the original form of 2FA, where you receive a key fob that generates a new code every 30 seconds. When you want to log in to the corresponding website, you check the current code and enter it. Another form is a USB key that automatically enters a 2FA code into the computer when plugged in.
These hardware options are better than no 2FA at all, but unfortunately not much better. Because they are easy to lose, expensive for companies to produce and distribute, and definitely not impossible to hack.
SMS and voice 2FA
With this type of two-factor authentication, you log in with your name and password and then receive an SMS or voice message with a unique passcode (OTP). You must enter this to complete your login. This type of 2FA is widely used, although it's not yet the ideal solution. In 2017, for example, a group of white-hat hackers managed to "hijack" a Bitcoin wallet by intercepting 2FA SMS.
By far the most popular form of 2FA today is the use of a time-based one-time password (TOTP) generated by a software program, also called a "soft token".
With this method of two-factor authentication, you first download a free 2FA app - on your smartphone or computer. Once installed, this app will work with any website that supports TOTP authentication. Once you've enabled 2FA via TOTP for one of your logins, you simply sign in with your username and password. You'll then be prompted to enter a code that will be sent to the app you have installed. This code usually expires after 60 seconds.
As the code is generated and displayed on the same device, there's no chance of hackers intercepting it. Moreover, these apps also work offline. So unlike 2FA via SMS, you're not dependent on your mobile network.
2FA push notifications
Another increasingly common version of 2FA is push notifications. The way these work is that you get a notification from websites and apps when there's a login attempt. You simply confirm or decline with one click - et voilà - you're logged in without any additional passwords or tokens.
However, this version of 2FA only works if you and the website have a direct, secure connection.
Which 2FA app can you use?
There are countless apps that you can use for the TOTP authentication described above. To clear the jungle a bit, I have brought you two examples:
If you use Android, for example, the app andOTP is a good choice. It offers the possibility to set a password to open the app and to create and encrypt backups. For example, whenever you add or remove a new service, you can back up an encrypted backup to your private cloud, so you won't have a problem when you change your mobile device. The integration with 1Password or other password managers also works with andOTP without any problems.
Since andOTP is not available for iOS, Twilio Authy is a good choice for Apple users. The advantages: Authy offers service backups in the iCloud or via Google Drive and is regularly subjected to intensive security tests.
In addition, you can generate TOTP codes with most password managers. If you use 1Password, for example, this step-by-step guide will help you.
Two-factor authentication for RAIDBOXES
From now on, you can activate two-factor authentication for a RAIDBOXES account in addition to your normal login. If 2FA is active, you have to enter another code in addition to your password when logging in to the RB dashboard. You can choose to receive this code by email, SMS or via an authentication app.
The use of the 2FA feature is free of charge and optional for all RAIDBOXES customers. However, we strongly recommend you to activate this additional feature. After all, if someone were to log into your RAIDBOXES account unauthorized, they would not only have access to your data, but also to your customers' data - for example, if you manage customer sites as an admin.
2FA via app, mail or SMS
There are three methods of two-factor authentication available at RAIDBOXES:
- App: To use our 2FA feature, you can use any authenticator app that supports TOTP. For example, we recommend andOTP (for Android) or Authy (for iOS).
- Email: If you want to use 2FA via email, you will get your authentication codes sent to the email address you are registered with at RAIDBOXES .
- SMS: If you have at least one paid contract, you can also use 2FA via SMS. (The mobile phone number you provide is not stored in our system. We can therefore not see which number you use for 2FA).
After you have activated the two-factor authentication for your RAIDBOXES account (how to do this is explained in this help article), you will have to enter an additional code when logging in, which will be sent to you via the method you have chosen.
You also need to enter a 2FA code to deactivate the feature. Should you ever lock yourself out of your account, simply contact our support via live chat.
What does 2FA apply to at RAIDBOXES?
You can enable two-factor authentication with a few clicks in your account settings. Please note that the 2FA protection with RAIDBOXES only applies to the account for which you've activated it - not for individual BOXES or their admins.
However, to best protect you and your company's data, we strongly recommend all users secure access to their RAIDBOXES account wit 2FA.
And what about 2FA for WordPress?
At this point, I'd like to point out agai that our 2FA feature is only available for your RAIDBOXES account and not for your WordPress login. However, there are many 2FA WordPress plugins that you can use to secure your WordPress login.
These include, for example, the Plugin "Google Authenticator - WordPress Two Factor Authentication" with over 20,000 active installations. Or "Two Factor Authentication" - also with over 20,000 users - from the makers of the popular backup Plugins "UpdraftPlus". You can find more 2FA Plugins easily in the official WordPress Plugin directory or in your WordPress dashboard under Plugins > Install.
We're proud to announce that access to the RAIDBOXES Dashboard is now even more secure for our users thanks to two-factor authentication. Even though you're not required to enable 2FA, we hope the advantages discussed in this article have convinced you. By additionally requesting a 2FA code, your account gets another layer of security and you ensure that your data - and your customers' data - is even better protected against unauthorized access.
We appreciate your input!
If you have any further questions about two-factor authentication or how to use the 2FA feature at RAIDBOXES, feel free to leave us a comment - or contact us in our live chat!