Buffer launches two-factor authentication after breach

Uses Google Authenticator and SMS to enable to optional security measure.

After working through a third-party breach of its databases last month, social media management company Buffer is rolling out two-factor authentication to its customers.

The company has been working on the optional feature for the past few weeks, with the feature aimed at making it more difficult for attackers to gain access even in the event that credentials are stolen.

(Credit: Buffer)

Putting its money where its mouth is, Buffer employees are also required to set up third-party two-factor authentication on the services they use, including Google, GitHub, Stripe, HipChat, and Dropbox.

As multiple users can have access to a Buffer account as a team member, Buffer's implementation of two-factor authentication is also able to extend to these accounts.

Buffer provides two ways for users to generate tokens, the first being via a one-time SMS sent to the user's phone, and the second through Google Authenticator. The use of Google Authenticator indicates that Buffer is using the more standardised time-based, one-time password algorithm, which theoretically should allow users to pick their own token generator if they know the "secret" used to seed tokens (which is typically provided as a QR code). Many other organisations are using the algorithm, such as Linode, Amazon Web Services, and Evernote, making it easy to manage tokens within a central application; however, others, such as Twitter, have decided to use two-factor systems that need to be managed separately.

Where Google Authenticator is used, Buffer asks users for a backup phone number and also provides a single-use code in case their phone is lost.