Two Factor Authentication (Without SMS)
Two Factor Authentication has already been added however, SMS verification is the bare minimum security for Two Factor Authentication. The technology is susceptible to SIM Swap attacks. It doesn’t take much for a hacker to perform a SIM Swap. If they have access to one other personal piece of information like your social security number they can call your carrier and move your number to a new SIM card.
Secondly, hackers can intercept SMS messages. It all comes back to the now-dated Signaling System No. 7 (SS7) phone routing system. The methodology was designed back in 1975 but is still used almost globally to connect and disconnect calls. It also handles number translations, prepaid billing, and crucially, SMS messages.
Please make RedTail compatible with Authenticator apps such as Google Authenticator, LastPass Authenticaotr, Authy, etc. These avoid the SMS method of Two Factor Authentication and are much more secure. Many companies that are staying up to date with their cyber security measures are making their programs compatible with authenticator tools.
And even better if you make Redtail compatible with most popular Authenticator Programs it would be even more beneficial to make RedTail copatible with Universal 2nd Factor keys for even greater security.
Redtail’s Product Owner has read the suggestion and there is some internal discussion needed in order to determine next steps.
This suggestion is remaining open and can continue to gather votes and comments!
This needs to be added on as a feature so that people can use authenticator apps and accounts are not tied to a personal employee cell phone.
It is also much easier to have everything in one place instead of asking employees to remember that everything is in the authenticator, EXCEPT redtail crm.
Another thing to consider: With SMS-based codes, if our hourly employees access Redtail they would have to use a personal phone for work purposes, which we cannot allow. This means that we can't even use SMS-based 2FA.
Daniel N. commented
Another security concern that is present currently is that when a 2FA code is sent via SMS Redtail shows the entire cell number which is yet another security concern for people concern about sim swapping as this makes it even easier for a hacker since they see the entire cell number that the code is being sent to. Most websites/programs that offer 2FA don't show the entire phone number, only the last 4 digits.
I totally support this. SMS-based two-factor authentication is actually two-STEP authentication and is much weaker for plenty of reasons, some of which Daniel posted here. Besides SMS itself being pretty weak, SMS-based two-step authentication is still just as vulnerable to phishing attacks - the SMS codes are generally valid for a pretty long time.
TOTP-based 2FA (like Google Authenticator, Authy, etc) is better, and support for FIDO and U2F would be the best. If complexity and time to develop is an issue for Redtail, I hear that Authy had a basically "drop in" solution for TOTP-based 2FA.
Another related feature request is here: http://feedback.redtailtechnology.com/forums/281220-crm/suggestions/36477574-universal-2nd-factor-u2f-badly-needed-asap