When it became clear to us last year that using SMS for two-factor authentication (2FA) was insecure, we kinda panicked. We’d spent a lot of time originally building that SMS-based 2FA login system for Basecamp, and the prospect of having to build an entirely new system compatible with proper authentication apps seemed daunting. Especially with major security liability hanging over our head.
So we went the easy route, and handed the 2FA authentication flow over to Google, using their Google Sign-In APIs. Now, that certainly gave us an immediate and secure solution. Nobody is disputing that Google knows security.
But requiring people to have a Google account to get a 2FA-protected Basecamp was an uncomfortable compromise. There are about a million good reasons for why you wouldn’t want Google to know everything about when you log into apps all over the internet. Google’s business is literally based on collecting as much data as possible, so it can use it all against you for ad targeting. That’s just not a regime we feel comfortable encouraging, let alone requiring.
So I’m thrilled to announce that we got our shit together and built our own, wonderful, and secure 2FA login protection for Basecamp. Google Sign-In still works, but it’s deprecated, and we’ll no longer be recommending it going forward.
Our new secure 2FA solution is built on the TOTP standard with backup codes as a fallback. So you can use any TOTP compatible authentication app, like Authy, 1Password, or Duo, and it works for all versions of Basecamp (here’s how to set it up in Basecamp 3 and Basecamp 2), as well as our legacy apps Highrise, Backpack, and Campfire.
Big kudos to Rosa Gutiérrez from our Security, Infrastructure & Performance team for putting our fears about doing our own TOTP-based 2FA system to shame. She led the project, did the work, and the final result is just great.
Finally, it feels good to have one additional area of the business free from Big Tech entanglement. We also dumped Google Analytics a few months back from Basecamp.com (relying on Clicky.com instead), and we’ll continue the work to untangle ourselves from Google and the rest of the industry behemoths. It’s a long slog, it’s unlikely ever to be fully complete, but every little bit helps.
Oh, and please, if you haven’t already, turn on 2FA to protect your Basecamp account. And if you aren’t already, use a password manager, like 1password. If you’re reusing a password on Basecamp, and you’re not protected by 2FA, you’re at a grave risk of having your account compromised. We work hard to protect everyone at Basecamp, but nothing will protect you online like using 2FA and a password manager everywhere you go.
Found a minor typo:
She lead the project
->
She led the project
Minor correction, from getclicky.com to clicky.com (https://clicky.com/blog/309/getclicky-no-more)
Any chance admins will be able to *require* 2FA to be enabled by all users?
We’re looking into this as well for a future rollout 👍
+100500
This was the number one feature missing from Basecamp to our team, thank you!
@DHH
Can you comment on:
1. Your experience using Clicky vs GA.
2. Has Basecamp as a company moved away from using Gmail for work email? If so, who did you migrate too?
Can‘t setup 2FA on mobile right now. Seems like the JavaScript is broken. At least on mobile Safari (iPhone X).
Sorry about that, Robert! We’ll take a look.
Should be fixed now! 📱🔐
Great job !
I would suggest bitwarden (https://bitwarden.com/) as a password manager.
It does not work… 🙁 The same code is generated on my 1Password and Google Authenticator, but when trying to use it in the 2FA form it says it is incorrect.
Hey Ilias, could you get in touch with our support team? So far we haven’t got any reports of it being broken, and it’s working fine over here. We should be able to figure out what’s wrong in your case.
I’m unable to log on to the app and get a Google 400 (Error:admin_policy_enforced)
It’s a new phone so not sure if it’s my work stopping me accessing it or whether it’s something to do with this change so thought I would share!
Feel like I’ve lost a limb without Basecamp on my phone!
Hi Dani! It shouldn’t be related to this change. If you’re using Google to sign in into Basecamp and your Google account is part of a G Suite account, could you get in touch with any of the admins there? Sounds like they might have some policy enabled that forces you to approve every app using Google to sign in. For example, they might require you to install the Google Apps Device Policy app. You can also get in touch with our support team if you need more help.
Been trying to dump Google Analytics for a while now but couldn’t find the time to do a proper analysis. I was actually wondering what you people use.
Thanks for sharing Clicky with us!
Thanks for finally moving away from Google for the 2FA-setup. I felt uncomfortable using my google login, but I am now a very happy camper!
I just informed my team to change the 2FA for ll our user accounts.
I’m not a big Google fan, so I’m wondering: How did you implement the TOTP? Did you use any libraries? Or did you write the whole TOTP from scratch? Interested to hear more how to create a Google alternative if it’s not a business secret 🙂
Hi,
You probably know, but TOTP codes can suffer almost all kinds of attacks just like SMS codes. Namely phishing, that’s the most easy and common attack.
So, I’m having trouble understanding how by the end of 2019 you are advertising this as a great new feature.
I recommend that you take a look on WebAuthn. I’m sure the team can implement this without much more effort.
Let me know if I can assist in some way. Please continue to make Base Camp great!
Thank you! WebAuthn is also planned 😄
By no means are administrators * * * able to be enabled by all users of FAFA? I’ll be happy to know.
https://daynightcarebd.com
Basecamp no longer needs Google for double-factor authentication?
https://shebaagency.com
Thanks Basecamp team for such wonderful feature. Never liked to use google login option nor authentication solution.
Would such feature be a part of Rails ecosystem in near future?
Thanks.