DuoSecurity: Advanced Two-Factor Login for LuxSci’s Web Interface

December 30th, 2011

Two-Factor logins require users to

  1. Enter their username and password correctly (the 1st factor)
  2. Authenticate a second way (e.g., by entering a code delivered to their mobile phones).
Using two-factor authentication ensures that even if a user’s password is discovered, guessed, or captured, a malicious user still cannot gain access to the user’s account … at least not without also having access to the second factor.
Two-factor authentication significantly enhances the security of any system:
  • LuxSci staff use it for all administrative actions through our web interface and the server command line.
  • It is required for PCI compliance
  • It is appropriate for HIPAA compliance
LuxSci has long offered a simple and effective two-factor option for its web interface. Now, LuxSci also supports DuoSecurity Two-Factor authentication. This option provides many advanced user and administration features and is cost-effective (usually free) for small organizations.

Compare Two-factor Options at LuxSci

LuxSci customers now have three options for two-factor authentication: SMS/text message, email to alternate email address, and use of DuoSecurity. All three options are free/included with your LuxSci account; however, the DuoSecurity option requires setting up an account with DuoSecurity first. DuoSecurity accounts for ten or fewer users are free, and they also have a 30-day free trial.

In the following table, we compare the features and functionality of each of these three options.

Feature SMS/Text Alt. Email DuoSecurity
Cost Free Free Free up to ten users; $30/mo for each additional ten users
Two-factor Authentication
via email message sent at login
via SMS/Text message sent at login
via batch of codes in an SMS/Text message sent ahead of time
via hardware token
via a telephone call to any phone, anywhere
via push – tap to confirm on your iPhone or Android
via App – get passcodes from a free mobile app available for all smartphones
Backup methods: setup multiple phones or devices and choose which to use at login
Bypass Code – Administrators can generate a one-time code that will let a user login, even if the user has lost access to their second factor.
Users can enable their own Two-Factor method
Administrators can enable and enforce Two-Factor authentication for users
Administrators can configure users’ Two Factor options for them
Administrators can view authentication logs

There are many other minor configuration options available with DuoScurity like lockout after failed attempts, re-sending SMS codes once the ones already sent are used up, etc.

We highly recommend using DuoSecurity for two-factor authentication due to its feature-rich nature and cost-effectiveness. It is well worth it, even for just the ability to have backup second-factor devices and to generate bypass codes in case of emergency.

Setup Two-Factor Authentication at LuxSci

If you are going to use DuoSecurity, you need to:

  1. Go to www.DuoSecurity.com and create an account
  2. Log in and click on “Integrations” and make a “New Integration” of type “Web SDK.”
  3. Login to your LuxSci account and proceed to either “Account > Advanced Administration > Security > DuoSecurity Two Factor” (for enabling DuoSecurity account-wide), or “Account > Domain Administration > Select a domain > General Settings > DuoSecurity Two Factor” (for enabling DuoSecurity for a specific domain).
  4. Copy and paste in DuoSecurity Integration Key, Secret Key, and API hostname that they provide to you.
  5. Select if DuoSecurity Two Factor should be required for all users or optional (e.g., they can opt to use it, but it is not enabled by default).

If you have specified that DuoSecurity is required, then setup is complete — all affected users will be required to use it when they login to the system. If you have not pre-configured “second factors” for them, they will be forced to do it as part of their next login to the web interface (this is a straightforward process).

If you are not using DuoSecurity or have left it as “Optional,” then the next step is for your users (or their account administrators) to:

  1. Login to LuxSci
  2. Go to “Account > My Profile > Two-Factor Authentication”
  3. Select the desired SMS, Email, or DuoSecurity option

What else can I do to protect my login?

In addition to choosing a good password, there are many things you can do at LuxSci to help secure your logins:

  • Update your settings to enforce only secured connections (SSL or TLS) when connecting to WebMail and other LuxSci services such as IMAP, POP, SMTP, FTP, and MySQL. This prevents your username, password, and other data from eavesdropping.
  • Restrict permission to log in to your account to specific IP addresses or geographic regions
  • Password policies – configure minimum password strengths, ensure your password must be changed frequently, that old passwords are not re-used, and that password guessing is not permitted.
  • Have alerts sent to you about successful and failed logins — so that you are immediately aware of any unauthorized login attempts.
  • Remove access to LuxSci services that you are not using. E.g., if you don’t use POP but have access to it — disable access to prevent unauthorized people from trying to access your email or guess your password through that service.

These features and many more are standard with LuxSci accounts.