Since the very beginning, Cloudflare has offered two-factor authentication with Authy, and starting today we are expanding your options to keep your account safe with Google Authenticator and any Time-based One Time Password (TOTP) app of your choice.

If you want to get started right away, visit your account settings. Setting up Two-Factor with Google Authenticator or with any TOTP app is easy - just use the app to scan the barcode you see in the Cloudflare dashboard, enter the code the app returns, and you’re good to go.

Often when you hear that an account was ‘hacked’, it really means that the password was stolen.

If the media stopped saying 'hacking' and instead said 'figured out their password', people would take password security more seriously.

— Khalil Sehnaoui (@sehnaoui) January 5, 2017

Two-Factor authentication is sometimes thought of as something that should be used to protect important accounts, but the best practice is to always enable it when it is available. Without a second factor, any mishap involving your password can lead to a compromise. Journalist Mat Honan’s high profile compromise in 2012 is a great example of the importance of two-factor authentication. When he later wrote about the incident he said, "Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened."

TOTP (Time-based One Time Password) is the mechanism that Google Authenticator, Authy and other two-factor authentication apps use to generate short-lived authentication codes. We’ve written previously on the blog about how TOTP works.

We didn’t want to limit you to only using two-factor providers that we'd built integrations with, so we built an open TOTP integration in the Cloudflare dashboard, allowing you to set up two-factor with any app that implements TOTP. That means you can choose from a wide array of apps for logging into Cloudflare securely with two-factor such as Symantec, Duo Mobile and 1Password.

If you want to enable Two-Factor Authentication with Google Authenticator or any other TOTP provider, visit your account settings here. It’s easy to set up and the best way to secure your account. We also have step by step instructions for you in our knowledge base.

We've been thinking about how to best implement two-factor authentication to better protect our customers' accounts for quite some time now. When, about 6 months ago, my account was targeted by hackers the importance of a good account security became clear. However, as my hacking case illustrates, two-factor authentication alone is not a complete answer.

At CloudFlare, we considered a number of different ways to implement two-factor authentication. We considered building it ourselves and using Twilio, or another similar service, to send authentication codes via SMS to our customers' mobile phones. The problem with that strategy is that it passes the supposedly secure authentication code through your mobile carrier's less-than-secure network. And, again, if there's a lesson to be learned from my own hacking case it's that mobile providers' security is not always the most robust.

We also considered some sort of fob-based two-factor system. Unfortunately, these are generally very expensive and therefore prohibitive for us to offer all our customers. We also considered solutions like Google's Authenticator. It's a well thought out system, and we have a ton of respect for the Google team, but we were nervous about handing another key to identity over to a company whose primary business is search and advertising. Not to mention a bit of a bad taste after a flaw in Google's own implementation of their two-factor authentication system contributed to my hack.

The underlying algorithm used by several two-factor authentication schemes, including Google's, is open and known as the Time-based One-time Password Algorithm (TOTP). TOTP was specified by the Internet Engineering Task Force (IETF) under RFC 6238.

The mechanics of TOTP are relatively easy to understand. To begin, every TOTP user is issued a random key. Both the server and the client has a copy of this random key. TOTP assumes that both the server and the client can synchronize their clocks. When a user goes to login, the client takes the current timestamp to the previous 30-second interval. The client then combines the key and the timestamp.

This combined key and timestamp value is then run through a SHA hashing algorithm. SHA, like other cryptographic hashes, is a one-way algorithm. That the output cannot be used to derive the input. The SHA algorithm's output becomes the authentication code which the user can post to the server as part of the login process.

Since the server has the same random key for the user, and since the client and server clocks are synchronized, the server can also calculate an authentication code using the SHA algorithm. If the authentication code the server has received from the user matches the one the server derived itself then the user's identity can be confirmed.

What is powerful about this scheme is that if an attacker steals the authorization code then, within 30 seconds, it will be useless. This is typically insufficient time for the attacker to gain access to the account. This is particularly effective against phishing attacks, where an attacker convinces a user to reveal their login credentials on a fake website.

If the core algorithm for two-factor authentication is public, then the question comes down to who has the best implementation. We looked at several implementations and were particularly impressed by a company called Authy. The Authy team created a beautiful, simple, elegant app that implements TOTP. Their vision is not to create yet another app you need to install, but instead to create a single place from which you can manage all your TOTP two-factor authentication tokens.

We've been using the Authy app internally for all of our administrative systems for the last three months. The Authy team has worked with us to refine their app to make it as simple and elegant as possible. After months of our own tests, and spurred on by a phishing attack that targeted CloudFlare accounts, we decided to open up two-factor authentication as a feature for all our customers. If you're interested, you can read about how to implement it on your account with just a few easy steps.

The biggest question we continue to get is why we didn't just use Google Authenticator, since a number of people already have it installed on their phones. Beyond the high-level concerns above, there were a number of technical concerns over security and ease of use that we believe made Authy a better choice.

First, with Google Authenticator if you lose your app there's no way you can revoke the app's tokens. This is probably the biggest security flaw with the Google Authenticator app. While it can be mitigated by password protecting your phone, the better solution is to allow the app to be deauthorized. Authy fixes this problem and allows you to revoke the app's token if you lose your phone. That's a big win for Authy over Google Authenticator.

Second, Google's Authenticator can get out of sync when you don't have network access, leaving you in the frustrating situation of not being able to access your account. Since all TOTP systems rely on the clock on your phone to match the clock on the server, if there's not a fairly precise match then there can be problems. I've experienced this myself when traveling and it can be frustrating. Authy has built a significant amount of logic into their app in order to keep clocks in sync even when you don't have network access.

Third, if you upgrade your phone, with Google's Authenticator you have to reestablish all your two-factor accounts from scratch. With Authy, all your accounts are synced, so when you upgrade and re-install Authy everything will be setup the way you expect it.

And there are a number of other well thought out details. Authy uses SHA-2 and 256-bit keys, where Google's Authenticator uses SHA-1 and 128-bit keys — likely not a huge deal for this application, but generally longer keys and more secure hashing protocols are better. When you wake your phone from sleep, Authy will always start with a code good for the next 30 seconds — it's a nice touch and removes the annoyance with Google's Authenticator of having to wait for the timer to expire if you don't have enough time to enter a code. And the interface is cleaner and just nicer to use than Google's.

But we get it. People don't like to have to install another app on their phones. The good news is the Authy team gets it too. They're adding support in the next few weeks for Google Authenticator tokens to their system as well. That way you can use Authy's great UI to access your Google codes through one app.

With two-factor authentication, our customers' accounts get an added layer of login security, ultimately adding another layer of security to their websites. We've been working on this feature for a while, and we are happy to announce that it's ready and available to all CloudFlare customers.

To make this feature happen, we worked with Authy, a startup who loves security too. Authy provides an easy-to-use, powerful two-factor authentication service. Their mission is to turn everyone's cell phone into a secure token. The Authy app works with iOS and Android devices and we're providing it free to all CloudFlare account holders. Here's how it works.

To turn two-factor authentication on, you simply log into your CloudFlare account, navigate to "My account" and select "two-factor authentication with Authy."

Once there, you will enter your mobile phone information and select "enable two-factor authentication."

You will then receive a text message (your provider's standard text messaging rates will apply). The text message includes a link to download the Authy app. The Authy app will ask you to enter your your mobile phone number. It will then text you a setup pin that you need to enter into the Authy app.

Once you receive your pin number via text, enter it into the Authy app. The Authy app will then be authorized and able to generate authentication tokens unique to your account. In the future, whenever you access your CloudFlare account you'll need three things: 1) your email address, 2) your password, and 3) your two-factor authentication token.

When you login to CloudFlare for the first time after enabling two-factor authentication, you will need to launch the Authy app on your phone. It will generate a unique, 7-digit authentication token. The authentication token is good for 30 seconds and then will change to a new token.

You can store your authentication for 14 days. If you login from an unrecognized device, or after your authentication expires, you'll need to open the Authy app and get your new authentication token for that device. The Authy app does not rely on you having network access, so you can retrieve your code even if your phone is not connected to the Internet.

If you ever lose your phone or get a new one you can reassociate your account by following the reset instructions on Authy's website.

You don't need to enable two-factor authentication in order to continue to use CloudFlare. However, we're providing it to all CloudFlare customers free and we recommend it for everyone who wants additional account security.