Boosting Account Security

At PassiveTotal, we recognize that threat research can be a sensitive topic and we’ve made it our priority to ensure our users are safe. In keeping with this mission, we are excited to announce that we now support two factor authentication using Google Authenticator or Duosec. This is a feature that is available for every user within our system for free.

How Does it Work!

If you login to PassiveTotal through the web interface and click settings, you will now see the addition of a new option, “Two-Factor”. Clicking this tab will show a screen similar to the one above. In order to begin the two-factor process, you must download the Google Authenticator or Duosec application on your smart device. We choose this implementation because it’s easy to use, available on both Apple (Google or Duosec) and Android (Google or Duosec) and has been adopted by other big names including our hosting provider, Digital Ocean.

Once you have the application installed, simply tap “Set up account” and scan the personalized barcode on your profile page. You should now notice a new “PassiveTotal” entry within the application and a 6-digit rotating code. Enter the 6-digit verification code into the input below the barcode and that’s it. The next time you login, you will need your smart device and Google Authenticator application to complete the authentication process.

But Wait, There’s More

Adding extra layers to the authentication process is awesome, but we wanted to ensure our users were also protected even after they had logged into the platform. Starting today, anytime a sensitive item has been changed in your account, we will send a confirmation email letting you know of the change.

You may be asking yourself, what exactly do we deem sensitive? Great question, here’s what we are currently tracking and alerting on as of today:

  • Password change (from inside the application or outside using forgot password)
  • Resetting your API key
  • Joining an organization
  • Enabling or disabling two-factor authentication
  • Data from your account is backed up

Additionally, in cases where suspicious queries are ran or it appears a particular account is being abused, we will alert the user and work with them to identify the problem. While not incredibly ground-breaking, we think these changes are valuable and worth sharing with the community.

As always, if you have any ideas or suggestions to improve our process, please let us know by sending tweeting us on Twitter, or sending a message to info[@]passivetotal.org.