This is a feature that we’re very excited to announce. Bubble now supports 2-factor authentication, and this applies both to your Bubble account and to apps built on Bubble!
With two-factor authentication turned on, anyone logging in as you to an app will need to have access to a mobile device linked to your account. We support using the Google Authenticator and Authy apps to link your device (though other TOTP apps should work as well).
For your Bubble account, we can go to your account page and set up this protection. You should download the application that you want to use, and then scan the QR code that will be shown and enter the first token to activate 2FA. Once this is set up, you’ll be prompted to enter this code whenever you try to log in.
We strongly recommend setting up two-factor authentication to protect the security of your account.
You will also be able in the account page to generate some one-time back up codes, that you can use to log in when you lose your phone. It is important to keep these codes in a safe place.
Adding 2FA to your apps
You can now add 2FA protection to your apps as well (if you are on the Production plan). As our own app is built on Bubble, this use the same workflow actions. To se this up, you basically need 4 things:
- First, you need to activate 2FA to your app in the General tab of the Settings tab (note that the plan needs to be production for this to work).
First, you need to build a workflow that users can run when they’re logged in to generate an individual QR code for their account. This action returns an image that you can display in a group that has an image element.
Then you need a second workflow to validate the token and activate 2FA. This should be the token the users see when they scan the QR code.
Lastly, you need to define a page where users will be redirected to to enter their token, and add a simple workflow there using the check 2FA Token action. Once a user has been through that workflow, he/she will be logged in.
Optionally, you can add some actions to disable 2FA, or generate back up codes. You can also access the 2FA status of a user by doing Current User’s 2FA activated (which returns yes/no).
Here is the detail for the different actions: https://bubble.io/reference#Actions.Generate2FAQRCode
This will help building more secure apps.