• sopularity

    After reading the hacking story of Buffer, I am also considering to encrypt the email addresses in my database. Can I ask which 2-way encryption algorithm you are using at Buffer?

    • sunils34

      Hi there! That’s awesome you’re considering encryption! Email encryption is often something that’s overlooked! We use a few different encryption methods. Depending on the use case, we use a mix bcrypt, xor encryption and mcrypt.

      • ToopherSeth

        Did you consider scrypt (http://en.wikipedia.org/wiki/Scrypt)? Where bcrypt is computationally expensive, scrypt is memory intensive, which prevents against clustered GPU attacks.

  • Interesting 😀

  • While I am a big fan of Two Factor Authentication, I would love to see Yubikey (http://www.yubico.com/) and/or Toopher (https://www.toopher.com/) as options.

    I have been using a combo of these technologies for awhile and prefer it over Google Auth (Facebook just added Yubikey support too)

    • sunils34

      Hi Kray! That’s a great suggestion! I’ve not heard much about those. I’ll research this a bit more and see how quickly we can add support for Yubico and/or Toopher. They look like very secure options.

      • Alexa Staudt

        Would love to chat with you about using Toopher! Feel free to DM us on twitter or shoot me an email. MyFirstName.MyLastName @ toopher.com

    • You could use LastPass to fill in your passwords. That has Yubikey support. I personally prefer Google Authenticator because I can use it on my phone. I don’t want to have to remember another device. However if you’re the kind of person that can remember to bring it around with you, then they’re very secure.

      • LastPass won’t do anything to improve security on Buffers end though, only the users.

        I prefer Toopher over Google Authenticator as you can have it remember locations and devices to speed up the process, check out their video. My Yubikey is on my key ring and I never go anywhere without my phone or keys.

        • True, but if a hacker gets my Buffer password I’d still be protected with 2 step authentication.

          How does Toopher remember locations and devices? Don’t quite understand that. I should look into Yubikey- I suppose I could put it on my keys, but I sometimes forget my keys and I don’t have them to hand in the same way as I have my phone.

          • Only if you have enabled TFA on the Buffer side. If not, LastPass won’t do anything for you, it’s a Password Manager.

            I just won’t be able to get into your LastPass Vault without the Two Factor.

          • ToopherSeth

            Toopher gets paired with your device in much the same way that you couple Google Authenticator, then subsequent logins are approved from the paired device. The push based 2FA is a big improvement over typing in an OTP, but we go one step further and allow users to automate similar requests. Your phone maintains a list of approved locations (your location is never sent to Toopher and the locations are encrypted on your phone) and invisibly replies for you. All the security without the fuss. I think it’s really cool 🙂

    • Mark Stanislav

      By adding support for Duo Security, you’d inherently gain the capability in the platform for Yubikey. Facebook uses us internally for their systems and leverage Yubikey quite a bit for their employees.

  • That’s great news, and you’ve done it properly! I am so glad you’ve got Google Authenticator support. SMS only is bad because it doesn’t work if there is no mobile/cell coverage. I also use LastPass so I am super secure.

  • Paul Thomas

    The 2 factor check only seems to work for logon via a browser.
    The Android app doesn’t ask for the 2nd step.
    Is this intended/expected?

    • sunils34

      Hi Paul, You’re right, we have not yet added this to our mobile apps. We’ll be pushing out updates to our mobile apps sometime in the next few weeks with TFA support.

  • Memphis Astrology

    The NSA has more than enough information on all of us. I have avoided giving Google my phone number for years, so if this is required to use Buffer now, I’ll have to say good-bye. After all, how private can something be in the measly 140 characters that I’m going to make public on Twittter anyway?

    • Belle

      It’s pretty scary to give out your phone number, I totally get that. I try to avoid it, too. If you use the Google Authenticator app, you can actually avoid providing a backup phone number, if that works better for you. And of course, 2-Step Login is optional, so you can skip it entirely if you prefer.

  • Nice to see 2-step login. Instead of using Google Authenticator as the app, I’ve been using an app called Authy. It has a couple advantages over authenticator and is compatible with all sites that use Authenticator.

    1. You can share your credentials with other devices (ex. my iPhone and iPad). Sometimes I leave my phone by the door and have my iPad close at hand, so it adds a bit of convenience.

    2. There is an app you can install on a Mac that will pair with your phone via BlueTooth. When you get to a site that needs two factor authentication, your phone can essentially beam your code to the computer. Saves a bit of typing and lets you keep your phone in your pocket.

    • Belle

      Thanks for sharing, that’s really interesting! I’ll check that one out.

  • Phil

    Do you have an idea of how this will work with 3rd party connections? I buffer a lot of articles through Reeder, for example. Will that still work if 2-factor auth is activated?

    • sunils34

      Hi Phil! Your 3rd party connections will work as expected, even if you’ve set up 2-factor authentication. You can always revoke access to third party apps here: https://bufferapp.com/app/account/apps

  • The trend to force mobile to “secure” things is a disturbing one. While I love the way Buffer has handled the hack, and admire that they want to make their service more secure, I cannot support the chosen execution path.

    Toodles Buffer, best of luck to you.

  • Thomas Hawley

    Thanks for the mentions of Toopher! It is a great setup and it is perfect for this type of application. Feel free to contact me if you are interested in learning more about Toopher.

  • I created my account and login using my social networks. I didn’t have an “Username-Password” combination!! I see that to setup TFA, I need to create a password, which I am not willing to.
    Is there any work around for this or any future updates??

    • Belle

      Hi Srihari,

      Unfortunately you do need to set up a password for your Buffer account to use 2-Step Login. If you don’t want to do that, you could set up the same thing for your actual social profiles. I know both Facebook and Twitter offer this, at least. That will help protect your social accounts a little more, though it won’t affect your Buffer account.

      • For now, I will continue without 2-Step Login. I already enabled TFA for all my social accounts, and so I am pretty sure no one could get access to my Buffer.

        Thank Belle 🙂

  • Hi,
    Thanks alot Belle for sharing this news. It was indeed very useful.

  • Lyka

    Hi my phone got stolen now I can’t open my bufferapp acct because I can’t enter the verification code. is there a way for me to retrieve my account? like send me an email or something? thank you so much!

    • Adam Farmer

      Hey there, Lyka! So sorry to hear of the stolen phone! Definitely a situation that is not fun at all. I would love to see if we can make the Buffer side of things a bit easier for you as you work through the rest. Would you be up for sending an email to [email protected]? From there, we should be able to ensure the security of your account and help you get back logged in. 🙂

      • Lyka

        Thanks Adam, I will definitely email them right now..Thank you..

  • Please add support for other authenticator apps. The only one that works is Google Authenticator. I would prefer to use Yubico Authenticator. Most other apps now allow people to use TOTP security tokens from any authenticator app.