Support for additional two factor authentication methods

I was very pleased to see that QuickFile offers support for two factor authentication (2FA) via Google Authenticator, however I would like to see support for additional methods that offer more convenience/flexibility and even greater security.

I specifically like to see support for the Yubikey, in particular for the Yubikey Neo as this supports FIDO U2F, a new 2FA technology that avoids man-in-the-middle attacks, but even the Yubikey Standard would be great to have as it’s a simple case of inserting the key and pressing the button.

Another technology I’d like to see supported is Duo Security, which is a push based solution that sends a message to the Duo Mobile app, which the recipient simply either approves or rejects. This is far more convenient than having to fire up Google Authenticator, find QuickFile in the list, look up the code and then manually type that code into the web browser. In addition to this, Duo Security also supports additional authentication methods for when you don’t have your mobile phone at hand to approve/reject the request: it can send a code via SMS, call a predefined phone number, or using the aforementioned Yubikey Neo with FIDO U2F.

I have been using Yubikeys for a number of years now, and always have them on me as they are attached to my house keys, whereas I have on occasion left the house without my mobile phone which made using Google Authenticator protected sites a major hassle.

Thanks for the feedback, I’ll certainly leave this thread open for others to comment and add their vote. I’m afraid direct support for Yubikey devices is not something on our short to mid-term development plan at the moment.

If it attracts more interest we will definitely look further into this.

I also would like to see support for either the Yubikey OTP system, or the emerging Fido U2F standard. I’ve set it up on the government gateway site and others like google, dropbox and lastpass.

1 Like

U2F is certainly gaining traction, most notably Facebook recently added U2F as a supported 2FA method.

I use Authenticator Plus, which offers PIN code protection and synchronisation (invaluable when migrating to a new phone!!), which results in the following process when trying to log into my QuickFile accounts:

  1. get phone
  2. unlock it
  3. find Authenticator app
  4. enter PIN (I use Authenticator Plus)
  5. find account in lengthy list
  6. memorise code
  7. switch to computer
  8. enter code within 30 seconds

Compare this to the same process using a U2F key:

  1. insert key into USB slot (if it isn’t already inserted, which it is most of the time)
  2. put finger on key

This request may not have received many votes, but that’s not necessarily an indication of a lack of interest. In my experience as an IT consultant, many people still don’t know what 2FA is or why they need it.

I appreciate your developers are very busy, and doing a great job, but I just wanted to renew my request for this feature, nigh on two years after first requesting it.

I’m very pleased, and grateful, that QuickFile supports 2FA, but unfortunately Google Authenticator is, after SMS, the most cumbersome 2FA method, especially if, like me, you have an extremely lengthy list of sites stored in the authenticator as I systematically enable 2FA wherever it is supported.

Would you consider given it a higher priority?

1 Like

Hi @Aerion

We do prioritise requests using mainly interest or their wider appeal. All i can suggest is for other users interested in this to please comment​ so we know that there is interest in this request.

We’re now more than three years on from my original request, so I’d like to renew my request for U2F support and keep this topic alive.

I totally understand your need to prioritise requests, and that you use user interest in a particular feature as a metric to determine whether you can afford to spend time on a feature request.

I’m not a developer, and I certainly don’t know how much work it would be to add U2F support, but with account hacking being a genuine risk these days I feel that security shouldn’t be solely based on user interest. It warrants a proactive, rather than reactive, approach.

Convenience/user-friendliness is a huge factor in adoption of security methods, and as highlighted in my March '17 post, TOTP codes are very cumbersome compared to a U2F key. I’ve seen with this repeatedly with clients of mine, who, after I have secured their online accounts with TOTP, end up disabling two-factor authentication again because of the hassle it creates for them. Those with a U2F key, however, have kept 2FA enabled on their accounts.

U2F is tamper proof (no man-in-the-middle attacks, no secret key that can be stolen or faked), doesn’t require a mobile phone with a charged battery, does not require all TOTP protected accounts to be reconfigured when changing mobile phone, but above all is incredibly simple and easy to use.

Maybe you could check with Yubico (co-designers of the U2F standard) to see how much work is required to implement U2F in addition to TOTP, and depending on the outcome give it a higher priority?

Hi @Aerion,

While I agree that we should always be proactive when it comes to security (we were one of the first accounting platforms to adopt MFA), we still need to ensure that if we invest resources to support other MFA devices, that there will be reasonable adoption.

Google Authenticator, for better or worse has become fairly ubiquitous now. Obviously there’s no perfectly secure solution, but right now there would need to be a compelling reason to favour other options over Google Authenticator.

The real challenge is just getting people to use MFA at all. Adoption is currently in the single digit % of all accounts, and that’s using a completely free app that can be installed and setup in a few minutes.