Here is a small and handy addition for having an extra level of security for the accounts.
Two-factor authentication is a widely-used mechanism for making sure that the account is only reachable by you and Uptime Robot now supports it.
The feature can be found at My Settings>Two-Factor Authentication (2FA) menu and you can choose to use your favorite authenticator app like Google Authenticator, Authy.. for activating it.
Once activated, the login pages will ask for the authentication code (besides the password) which can only be generated with your authenticator app (and, we are working on adding this feature to various other actions besides the login).
Hope that it helps for a better experience :).
46 Comments
This is very good news, but for our enterprise use we would prefer being able to associate multiple U2F security keys, as many systems like Google currently allow.
Also: what about backup mechanisms (SMS, static "backup codes", etc.)? Is the only backup/safeguard option to save a copy of the initial secret key and use it to configure a new TOTP device?
Thanks!
Hi Peter,
thank you for your feedback, we will reconsider it. For now, unfortunately, there are no other backup options.
discord 2fa?
Hi, could you specify it, please?
will you support DUO 2fa via api push?
Hi Mike, there are no plans for it at the moment. If you wish you can suggest it on Nolt where everyone can vote for it: https://uptimerobot.nolt.io/
U2F support would be great. Most major platforms support it too (Google, GitHub, etc.).
Great move, adding 2FA. But the recovery question with fixed questions isn't. I should be able to come up with the question myself.
Happy to see 2FA being rolled out! There is one small issue, you dont currently provide the key with the barcode. This is needed for two reasons, a) if you are setting up 2FA from your mobile phone, it isnt possible to scan the barcode. And b) people need to be able to save the key in order to restore their token in the event that they lose/replace/wipe their mobile device.
Thank you for adding support for the best form of 2FA out there (Google Authenticator).
I've been through the nightmare of having lost my 2FA device before and know how painful it is with all of the challenges involved with resetting a 2FA link, so I always immediately back up my secret random string (that's part of every 2FA setup). I'm sure many others aren't as diligent when setting it up and will eventually lose their 2FA device. Your way of setting up a secret security question+answer is an excellent solution to the lost 2FA device problem. Kudos to UptimeRobot's development team.
UptimeRobot is an awesome product all around. Thanks for everything. You guys rock!
Hi, how did you recover your 2FA code? i dont remember it
Hi Juan,
please contact our support and we'll be happy to help you access your account - support@uptimerobot.com
Excellent article! thanks for sharing
That's awesome, thanks!
Would be nice to see Webauthn as well - tapping a security key is a lot faster than having to type out codes. Having multiple second factors would also let us avoid having to create fallback security questions.
Thank you for your feedback, Alex! We appreciate it and will reconsider it in the future :)
U2F/Webauthn Maybe?
Thank you for the suggestion, we will reconsider it in the future :)
While 2FA is great in this case - it would be great if you allowed SAML login access to the platform as well. That would be a great additional layer of identity security in terms of accessing uptime robot in an enterprise environment.
Hi Marques,
thank you for your feedback! We will reconsider it.
I agree to SAML
Wait. You replaced the password with the token? You took away a factor. It’s one factor authentication.
Also, no option to use a text code to add to an Authenticator app? QR code only?
Who implemented this? You’ve made your system massively more unsecure
Hi! Thanks for adding this, but there are no backup codes I see. Will you add support for it?
Hi Martin,
thank you for reaching out to us, there are more changes planned at the moment, we will reconsider the 2FA in the future too, so stay tuned! :)
Hey,
It would be nice to actually have multiple users that can login in the company platform.
Nice feature nevertheless
Hi there,
thank you for your feedback! This feature is already planned and will be added soon :)
What's the process for account recovery if I lose access to my phone or code-generator?
Hi John,
in that case, I am sure you will be able to solve it with our customer support!
It's 2019... Can we get U2F support as well?
Hi Jonathan, thank you for your feedback, we will reconsider it, there are more changes planned at the moment.
Hi Uptime Robot Team,
First off, you are doing an amazing job and I love the product!! Also, thank you for making it possible to use an app instead of SMS, I much prefer this method.
I want to bring awareness to FreeOTP as another alternative to Google Authenticator and Authy. It is often left out of 2FA software discussions, yet it is a free and open source option that is just as powerful as its competitors.
https://freeotp.github.io/
All the best,
Jason
Absorbing Chaos LLC
Hi Jason,
thank you for your feedback, we appreciate it!
I understand that this service might not be high risk, but this implementation of 2FA is bad. It is stupid to not only allow anyone, who can answer the security question, to remove 2FA, but requiring users to set one as well, effectively undermining the 2FA entirely. Furthermore, the security questions encourage users to use potentially public or inconsistent/unstable information as their "secondary password". Generate random recovery codes instead like any decent 2FA implementation.
Furthermore, you ask the user which question they selected when they activated 2FA. So if the users do as they are encouraged to and answer truthfully, they still either have to write down the security question (???) or brute force their way in if they lose their 2FA key.
Hi Niklas,
thank you for your feedback, we will reconsider it, there are more changes planned now :)
Great News!
(Though I would've preferred WebAuthN/FIDO2/U2F...)
A bit late perhaps, but it's never *too* late to improve security. Glad you've added support!
Is there any plans for SSO through Azure AD? 2FA is awesome, but it would be even better if we could integrate sign in rules through Azure AD. Most applications now are allowing SSO for one screen login to all enterprise applications.
Hi Stephen, this is not planned yet, but thank you for the idea! We will reconsider it.
This is great news for us to protect our accounts! Do you guys also the one who made the steam authenticator?
Thank you for your feedback! :) Could you please specify what you mean?
Works fine :) Thanks
Happy to hear that!
Nice, thank you for that!
Always welcome, Tomasz! :)
You could add an "Signal" notification bot or maybe also WA but I don't know how WA supports Bots.
Hi there,
thank you for your feedback! We are already thinking about Signal.