Multi-factor authentication (and European server relocation) should be more widely available

First of all, don’t take this as criticism on the Bubble-team, because it is truly amazing what Bubble has allowed me and many thousands of other entrepreneurs to develop without any coding knowledge. Probably my worst nightmare as an entrepreneur is that Bubble quits doing that they do.

But having said, I do want to publicly repeat/stress that I’ve read somewhere on the forum before. Nowadays, Multi-factor Authentication is arguably a basic/central element of having a decent security structure as an app. I don’t think that having access to it should depend on having a production plan (about $500 a month). This goes hand-in-hand with another ‘complaint’ I have as a European user: the inability to locate one’s servers to Europe without scaling up to a dedicated plan (which is even more expensive). I understand that the need for this might disappear when a new US-EU Privacy shield is drawn up, but this is speculative and leads to a vulnerable structure to EU-users (what happens if also this agreement is ruled to be unlawful in the future?).

In my mind, Bubble right now has all the future it needs to 90%-95% of its users, especially since the new responsive engine was launched. I’m sure it already is, but GDPR compliance/accessibility of security measures should be an absolute top priority to the team.

5 Likes

Absolutely agree! Nothing comes for free but for the combination (so hosting in EU and MFA) I would be willing to consider 500,- a month.

1 Like

Hey,

Check this post and upvoted if you want EU servers so we can get traction on it to let Bubble know where loads of people interested in it:

1 Like

To me that would already be too much to be honest, for the first phase of launching my business. That doesn’t mean I’m not willing to pay for Bubble, but as a start up €500/month in order to simply comply with EU law is too much. That doesn’t mean I’m not willing to pay for Bubble (quite the opposite). Bubble’s pricing model is great and accessible, and they should keep it that way. It’s just this security aspect that is unreasonable (the only way to comply with legal standards is to pay a lot).

1 Like

Quick update from my side: I overlooked the fact that MFA is not that difficult (pretty easy actually) to make yourself. Just include the verification of a code (sent through either e-mail or text) in the log-in process. So the fact that Bubble-side MFA is only available to more expensive plans, isn’t that big of an issue.

On EU-based servers: there’s actually an argument to be made that also US-based servers don’t directly breach the GDPR. Bubble’s own GDPR guide makes some decent points on this (standard contractual clauses as the transfer mechanism for the EU-US data transfer may well suffice). Moreover, a Data Privacy Framework between the EU and the US has been concluded, on which a draft adequacy decision by the Commission has already been issued. If not (again) struck down by the ECJ, this should grant the US an adequate level of protection under the GDPR.

1 Like

Hi. Can you explain a bit further how you setup the MFA yourself? I would love to as well. Thanks!

Sure! MFA is basically adding an extra validation point for a user logging in, next to them entering their password. A logical implementation would be to send them an email with a code, that is valid for a couple of minutes, and that they have to enter. You could also send them a text of course. This means that, in practice, you have to:

  • Create a datatype ‘MFA code’, with the code you’ll create, and ‘MFA date’, with the date & time before the user has to enter the code
  • Create a workflow after the user logging in, which automatically sets a new MFA code for this user, updates the MFA date (e.g. to current date & time + 10 minutes). Then you have to e-mail this code to the user’s email
  • Create a page/pop-up/group/whatever, where the user can enter their MFA code after logging in. Once they’ve entered their MFA verification-detaills, you can forward them definitively to the homepage of the app
  • Probably you want to create a redirect-workflow at your app’s pages, e.g. ‘when current user’s MFA logged in? is “no”’ → send user to the MFA page (or show them the pop-up). This is done to keep the user from bypassing the MFA workflow by simply going directly to another page of the app.

It’s pretty basic actually. It’s all about creating and send a temporary code to your user, and creating a system that enforces it.

1 Like

Thanks a lot for having taken the time to respond! Will implement it soon and share here my step my step actions.

1 Like