First of all, don’t take this as criticism on the Bubble-team, because it is truly amazing what Bubble has allowed me and many thousands of other entrepreneurs to develop without any coding knowledge. Probably my worst nightmare as an entrepreneur is that Bubble quits doing that they do.
But having said, I do want to publicly repeat/stress that I’ve read somewhere on the forum before. Nowadays, Multi-factor Authentication is arguably a basic/central element of having a decent security structure as an app. I don’t think that having access to it should depend on having a production plan (about $500 a month). This goes hand-in-hand with another ‘complaint’ I have as a European user: the inability to locate one’s servers to Europe without scaling up to a dedicated plan (which is even more expensive). I understand that the need for this might disappear when a new US-EU Privacy shield is drawn up, but this is speculative and leads to a vulnerable structure to EU-users (what happens if also this agreement is ruled to be unlawful in the future?).
In my mind, Bubble right now has all the future it needs to 90%-95% of its users, especially since the new responsive engine was launched. I’m sure it already is, but GDPR compliance/accessibility of security measures should be an absolute top priority to the team.
To me that would already be too much to be honest, for the first phase of launching my business. That doesn’t mean I’m not willing to pay for Bubble, but as a start up €500/month in order to simply comply with EU law is too much. That doesn’t mean I’m not willing to pay for Bubble (quite the opposite). Bubble’s pricing model is great and accessible, and they should keep it that way. It’s just this security aspect that is unreasonable (the only way to comply with legal standards is to pay a lot).
Quick update from my side: I overlooked the fact that MFA is not that difficult (pretty easy actually) to make yourself. Just include the verification of a code (sent through either e-mail or text) in the log-in process. So the fact that Bubble-side MFA is only available to more expensive plans, isn’t that big of an issue.
On EU-based servers: there’s actually an argument to be made that also US-based servers don’t directly breach the GDPR. Bubble’s own GDPR guide makes some decent points on this (standard contractual clauses as the transfer mechanism for the EU-US data transfer may well suffice). Moreover, a Data Privacy Framework between the EU and the US has been concluded, on which a draft adequacy decision by the Commission has already been issued. If not (again) struck down by the ECJ, this should grant the US an adequate level of protection under the GDPR.
Sure! MFA is basically adding an extra validation point for a user logging in, next to them entering their password. A logical implementation would be to send them an email with a code, that is valid for a couple of minutes, and that they have to enter. You could also send them a text of course. This means that, in practice, you have to:
Create a datatype ‘MFA code’, with the code you’ll create, and ‘MFA date’, with the date & time before the user has to enter the code
Create a workflow after the user logging in, which automatically sets a new MFA code for this user, updates the MFA date (e.g. to current date & time + 10 minutes). Then you have to e-mail this code to the user’s email
Create a page/pop-up/group/whatever, where the user can enter their MFA code after logging in. Once they’ve entered their MFA verification-detaills, you can forward them definitively to the homepage of the app
Probably you want to create a redirect-workflow at your app’s pages, e.g. ‘when current user’s MFA logged in? is “no”’ → send user to the MFA page (or show them the pop-up). This is done to keep the user from bypassing the MFA workflow by simply going directly to another page of the app.
It’s pretty basic actually. It’s all about creating and send a temporary code to your user, and creating a system that enforces it.
Thanks for sharing this. 2 questions:
1/ How do you create the MFA code to make it random?
2/ What condition do you use to ensure the user can log in by pasting the received code in the pop-up?
Create in backend using Calculate formula to generate a random sequence of numbers. Not close to true randomness, but good enough.
On the workflow with the log the user in action, run an action to verify the code is correct (this should call a backend workflow that can return the yes/no value for if the code is correct, bypassing privacy rules). If it’s not correct, terminate the workflow so they can’t log in.