You know your users reuse passwords. Their account on your site is only as safe as the least-secure site they've ever reused their password on — so, not very safe at all.
On top of that, dedicated attackers phish passwords by tricking users into visiting their counterfeit copies of your site. Are your users technical enough to recognize tiny differences in URLs and SSL settings?
Two factor authentication is a step up for your site's security. Users provide their password and then connect a USB security key. Stolen passwords are no longer a disaster.
Google started an industry alliance called FIDO to create a very smart standard called Universal Second Factor, ("U2F").
The TwoFactorAuth gem drops into your site to add support for U2F. You don't have to learn the crypto behind it, you just integrate it into your user interface. This should take an hour or two.
U2F is young and growing. Google Chrome supports it fully. Mozilla Firefox is developing support now. Microsoft has joined the Board of Directors for FIDO Alliance, so Internet Explorer should support it soon. (Safari support seems likely, but Apple is famouly hard to predict.)
U2F is already supported by the big sites your customers use. They won't need to buy new security keys, because one key works on multiple sites with no extra setup or hassle.
The best way to get security keys is to buy them on Amazon. I recommend Yubico's U2F Security Key, which is pictured on this page. It's solid and obvious to use. If you need more than 500, contact me about a volume discount.
The YubiKey NEO is only useful if you need support for their older OTP authentication. The Plug-up U2F Security Key is cheaper but a bit flimsy and awkward to use.
When I log in to World of Warcraft, I use my password and a security key. The two factor authentication keeps my account safe.
When I log in to my bank from a new computer, they text me a secret code. The phone company isn't prepared to be a secure communication channel, it would only take an attacker a few minutes to trick level 1 support into forwarding texts. There are endless tales of woe online from people who've been hacked this way.
My bank doesn't even offer it as an option because the previous generation of security keys were expensive, proprietary, and inconvenient for users. World of Warcraft puts up with it because players are so passionate, but it's hard to get people passionate about interest-free checking.
The U2F standard gives you one cheap, easy key you can use on every site you visit. The TwoFactorAuth gem makes supporting U2F an afternoon project.
My name is Peter Harkins. I wrote TwoFactorAuth after helping companies (and family members) recover from stolen passwords. I've already contributed to the U2F standard by diagnosing bugs in Google Chrome, sending patches to the leading security key vendor, and catching errors in the U2F spec.
I've been developing websites since 1994. I've worked at the Washington Post building sites to cover news stories like the historic 2008 presidential election. I've maintained a domain name registry, part of the Internet's core infrastructure. And I've consulted for dozens of clients, creating custom solutions for startups and multinationals like IBM and Abbvie.
You can try out the free version on GitHub. See the end of the README for license concerns - in short, you'll want to purchase a license here before you deploy to production.
If you're not happy with TwoFactorAuth, I don't want your money. If you are unsatisfied, I'll refund any payment made in the last 30 days and help you remove it from your site.
There's only one other Ruby gem (ruby-u2f) that comes close to the functionality of TwoFactorAuth. I've read its code and am working on a patch for a security vulnerability I found. Even if it's the competition, I don't want to see insecure code.
Even after I fix that, TwoFactorAuth is a better choice for keeping your site safe. TwoFactorAuth authenticates users with a standard ActiveRecord validation rather than raising exceptions, has four times as many tests, is actively maintained as browser support matures, and offers professional support and integration.
(Writing this section just about killed this nerd. I hate sleazy sales and I don't want to promote TwoFactorAuth by insulting the other option. Please read the projects' code and tests when you decide.)
If you need more than 100,000 active keys or are concerned about advanced features like auditing, maintenance contracts, HIPAA compliance, or an SLA, please contact sales@ so we can talk about your needs.
If you want to embed TwoFactorAuth in an appliance or product you sell, please purchase a license for each install or contact sales@ for an embedded license.