You can now secure your Raidboxes account with two-factor authentication (2FA). In this article, we explain why 2FA is so effective as a security measure for WordPress, your login to the Raidboxes dashboard or other of your accounts and how two-factor authentication works.
The nightmare of unauthorized logins
As our lives increasingly take place online, it would of course be an absolute nightmare if someone were to gain access to one or even all of your accounts. Just imagine if a company you trusted with your financial or personal information was hacked or a data leak became public. Fortunately, it's not just criminals who have become more resourceful online - cyber security to protect against attackers is also improving. And the latest in security includes two-factor authentication (2FA).
As a WordPress hoster, security is a particularly high priority for us and we are constantly working on integrating new security features. To make the Raidboxes dashboard even more secure, two-factor authentication is now available to our customers.
What is 2FA and why is it so important?
To best explain why two-factor authentication is so important for data security today, let me first define what 2FA is not.
First of all, 2FA is not a password, at least not really. If you talk to experts, they'll probably tell you: "The days when a password was enough to prevent unauthorized access to your website are long gone - if it ever worked well at all."
The reason? Human error.
Carelessness when assigning passwords
A recent analysis examined over 1.4 billion hacked passwords and found that many of them are frighteningly simple. A number of people were even so careless that they used "11111", "12345" or the good old "password". Anyone using such a password should not be surprised about hacked accounts. If you want to know exactly which passwords are used the most and how long it takes to crack them, take a look at the "Top 200 most common passwords of the year 2020" by Nordpass.
Another problem we must not forget is recycled passwords. With dozens of apps, accounts, websites and devices demanding login credentials from us, it's obviously a pain to remember unique passwords for each account. But if you use the same password for several - or even all - of your accounts, you're taking a big risk. Because anyone who cracks one of your accounts automatically has access to all the others.
Your introduction to 2FA
At first glance, two-factor authentication looks like a typical login procedure. To gain access to a website or app, you will be asked to enter your username and password. But this is only the first step. You will then be asked for additional information - in addition to your username and password. This additional information is usually from one of these categories:
- Personal knowledge: In addition to the password, you will be asked for other information that only you know - for example, a PIN, answers to previously answered "secret questions" or an unlock pattern on the cell phone display.
- Real-world information: You are asked for information that only you can retrieve - for example, a time-critical code that is sent to your e-mail address or via SMS.
- Biometric information: For example, you will be asked to provide a fingerprint, retinal scan or voiceprint.
Two-factor authentication means that no single password is enough for hackers to crack your login. So if you lose your phone or your password is stolen, 2FA means cyber criminals can't access your data without knowing, for example, the name of your first pet or the street you grew up on.
Two-factor authentication and WordPress security
There is a reason why it is usually large companies that are attacked by hackers: That's where most of the data is located. WordPress accounts for 64 percent of the CMS market and is therefore an environment where a security breach can deliver a whole range of data.
Did you know that almost 40 percent of all websites run on WordPress? That's a whole lot of websites that hackers can examine for vulnerabilities.
Another reason for WordPress' appeal to hackers is the popularity of the content management system. Because WordPress is so easy to use, you can get your website up and running without much prior experience. So there are quite a few relatively inexperienced WordPress users out there whose websites are not properly secured, are not updated and therefore offer backdoors for attackers.
How to create secure passwords
First and foremost, you should use secure passwords. But how do you find a good password that you can still remember? How-To Geek Editor in Chief Chris Hoffmann has a great tip for you:
"You might find it easier to remember a sentence like 'The first house I ever lived in was 613 Fake Street. Rent was $400 per month.' You can turn that sentence into a password by using the first digits of each word, so your password would become TfhIeliw613FS.Rw$4pm. This is a strong password at 21 digits. Sure, a true random password might include a few more numbers and symbols and upper-case letters scrambled around, but it's not bad at all."
However, your passwords should not only be secure, but also unique. With a corresponding number of accounts, your memory will be put to the test. But don't worry: there are many password managers that not only manage your passwords, but also generate unique, complex passwords for each new account. But again, passwords are only capable of protecting your hard work and your data to a limited extent. So let's get back to two-factor authentication.
How does two-factor authentication work?
Hardware token
This is the original form of 2FA, where you receive a key fob that generates a new code every 30 seconds. When you want to log in to the relevant website, you check the current code and enter it. Another form is a USB stick that automatically enters a 2FA code into the computer when it is inserted.
These hardware options are better than no 2FA at all, but unfortunately not much better. Because they are easy to lose, expensive for companies to manufacture and distribute and definitely not impossible to hack.
SMS and Voice 2FA
With this variant of two-factor authentication, you log in with your name and password and then receive an SMS or voice message with a one-time passcode (OTP). You must enter this to complete your login. This type of 2FA is widely used, even if it is not yet the ideal solution. In 2017, for example, a group of white-hat hackers managed to "hijack" a Bitcoin wallet by intercepting 2FA text messages .
Software tokens
By far the most popular form of 2FA today is the use of a time-based one-time password (TOTP), which is generated by a software program, also known as a "soft token".
With this method of two-factor authentication, you first download a free 2FA app - on your smartphone or computer. Once this app is installed, it works with any website that supports TOTP authentication. If you have activated 2FA via TOTP for one of your logins, simply log in with your username and password. You will then be asked to enter a code that will be sent to the installed app. This code usually expires after 60 seconds.
As the code is generated and displayed on the same device, there is no chance of it being intercepted by hackers. What's more, these apps also work offline. This means you are not dependent on the mobile network, as is the case with 2FA via SMS.
2FA push notifications
Another increasingly common version of 2FA is push notifications. These work in such a way that you receive a notification from websites and apps when there is a login attempt. You simply confirm or decline with a click, and voila, you're logged in without any additional passwords or tokens.
However, this version of 2FA only works if you and the website have a direct, secure connection.
Which 2FA app can you use?
There are countless apps that you can use for the TOTP authentication described above. To clear up the jungle a little, I have brought you two examples:
If you use Android, the app andOTP is a good example. This allows you to set a password to open the app and to create and encrypt backups. For example, whenever you add or remove a new service, you can save an encrypted backup in your private cloud and therefore have no problem when you change your mobile device. Integration with 1Password or other password managers also works smoothly with andOTP.
Since andOTP is not available for iOS, Apple users can use Twilio Authy, for example. The advantages: Authy offers service backups in the iCloud or via Google Drive and is regularly subjected to intensive security tests.
You can also generate TOTP codes with most password managers. If you use 1Password, for example, this step-by-step guide will help you.
Two-factor authentication with Raidboxes
From now on you can activate two-factor authentication for a Raidboxes account in addition to your normal login. If 2FA is active, you have to enter another code in addition to your password when logging into the RB dashboard, which you can choose to receive by email, SMS or via an authentication app.
The use of the 2FA feature is free of charge and optional for all Raidboxes customers. However, we strongly recommend that you activate this additional protection. After all, a person who logs into your Raidboxes account without authorization would not only have access to your data, but also to that of your customers - for example, if you manage customer sites as an admin.
2FA via app, email or SMS
Two-factor authentication is possible with Raidboxes using three methods:
- App: To use our 2FA feature, you can use any authenticator app that supports TOTP. For example, we recommend andOTP (for Android) or Authy (for iOS).
- Email: If you would like to use 2FA via e-mail, you will receive your authentication codes to the e-mail address with which you are registered with Raidboxes.
- SMS: If you have taken out at least one fee-based contract, you can also use 2FA via SMS. (The cell phone number you enter is not stored in our system. We therefore cannot see which number you use for 2FA).
After you have activated two-factor authentication for your Raidboxes account (we explain how to do this in this help article), you will have to enter an additional code when logging in, which will be sent to you via the method you have selected.
You will also need to enter a 2FA code to deactivate the feature. If you ever lock yourself out of your account, simply contact our support team via live chat.
Who does 2FA apply to with Raidboxes?
You can activate two-factor authentication with just a few clicks via your account settings. Please note that the 2FA protection with Raidboxes only applies to the account for which you have activated it - not for individual boxes or their admins.
However, in order to protect your data (and that of your company) in the best possible way, we strongly recommend that all users secure their Raidboxes access with 2FA.
And what about 2FA for WordPress?
At this point we would like to point out again that our 2FA feature only applies to your Raidboxes account and not to your WordPress login. However, there are many 2FA WordPress plugins that you can use to secure your WordPress login.
These include, for example, the "Google Authenticator - WordPress Two Factor Authentication" plugin with over 20,000 active installations. Or "Two Factor Authentication" - also with over 20,000 users - from the makers of the popular backup plugin "UpdraftPlus". You can easily find more 2FA plugins in the official WordPress plugin directory or in your WordPress dashboard under Plugins > Install.
Our conclusion
We are proud to announce that the Raidboxes dashboard is now even more secure for our users thanks to two-factor authentication. Even though the activation of 2FA is not mandatory for us, we hope that the advantages mentioned have convinced you. Because by additionally requesting a 2FA code, your account gets another layer of security and you ensure that your data (and that of your customers) is even better protected against unauthorized access.
We look forward to your input!
If you have any further questions about two-factor authentication or how to use the 2FA feature at Raidboxes, please leave us a comment - or get in touch via our live chat!