[New Feature] Two-Factor Authentication

emmanuel · March 20, 2018, 11:00pm

This is a feature that we’re very excited to announce. Bubble now supports 2-factor authentication, and this applies both to your Bubble account and to apps built on Bubble!

With two-factor authentication turned on, anyone logging in as you to an app will need to have access to a mobile device linked to your account. We support using the Google Authenticator and Authy apps to link your device (though other TOTP apps should work as well).

Bubble Account
For your Bubble account, we can go to your account page and set up this protection. You should download the application that you want to use, and then scan the QR code that will be shown and enter the first token to activate 2FA. Once this is set up, you’ll be prompted to enter this code whenever you try to log in.

We strongly recommend setting up two-factor authentication to protect the security of your account.

You will also be able in the account page to generate some one-time back up codes, that you can use to log in when you lose your phone. It is important to keep these codes in a safe place.

Adding 2FA to your apps
You can now add 2FA protection to your apps as well (if you are on the Production plan). As our own app is built on Bubble, this use the same workflow actions. To se this up, you basically need 4 things:

First, you need to activate 2FA to your app in the General tab of the Settings tab (note that the plan needs to be production for this to work).

First, you need to build a workflow that users can run when they’re logged in to generate an individual QR code for their account. This action returns an image that you can display in a group that has an image element.
Then you need a second workflow to validate the token and activate 2FA. This should be the token the users see when they scan the QR code.
Lastly, you need to define a page where users will be redirected to to enter their token, and add a simple workflow there using the check 2FA Token action. Once a user has been through that workflow, he/she will be logged in.
Optionally, you can add some actions to disable 2FA, or generate back up codes. You can also access the 2FA status of a user by doing Current User’s 2FA activated (which returns yes/no).

Here is the detail for the different actions: https://bubble.io/reference#Actions.Generate2FAQRCode

This will help building more secure apps.

petter · March 20, 2018, 11:00pm

Nice!!!

romanmg · March 20, 2018, 11:00pm

Brilliant. Thank you!

pauljamess · March 20, 2018, 11:00pm

Woah

paritosh.mehta19 · March 20, 2018, 11:00pm

Great! Thank You!

jonathan.timianko · March 20, 2018, 11:00pm

Thank you!!

timgarrett111 · April 16, 2018, 4:10am

Keen to know if anyone has been successful if getting this to work?

Cheers

nocodeventure · January 16, 2019, 8:00pm

Is this feature available for Marketplace Sellers? I am creating a dashboard where I want to integrate this feature.

emmanuel · January 16, 2019, 9:10pm

You want to add this to your app? If so, you should put on your a Production plan.

johnny · April 11, 2021, 10:25pm

Hey @emmanuel,

Is it possible to get an option where a code can be texted to the user? Instead of just through one of the apps?

steve18 · May 9, 2021, 8:41pm

Yeah, I am with you @adam5. I’m a cyber security professional; in fact my first app is a cyber security app. It’s a brand new app and I am a startup; I can’t afford the near-$6000 per year price tag to enable my users to have MFA. In this day and age, pay-gating cyber security seems ludicrous. @emmanuel – this is all kinds of wrong. Offering our clients proper security shouldn’t be $6000 per year!

IljaIljitsj · March 29, 2022, 3:49am

I’d like to second this. Security is a crucial thing to many users, regardless of the plan. I understand that we have to pay more to get more (and I’m very grateful about everything that Bubble allows us to build/create for such a low price), but 2FA should not just be available to the Production Plan I think. I would even prefer a custom additional price per month for 2FA over being forced to take a plan that you otherwise don’t need (and can’t pay)

pb.racing · April 20, 2022, 8:56am

Can this be made available on the personal plan with a one off payment? Don’t think I’d be alone in using this. Would help set bubble apart and help prevent harmful press for this great company.

pb.racing · April 20, 2022, 9:04am

… @emmanuel , a consideration here is startup companies seeking cybersecurity insurance who get charged a premium without 2FA. I’m getting this insurance myself for a medical startup but can’t justify the $529 production plan while starting out.

IljaIljitsj · January 27, 2023, 7:43pm

Just to stress the point: I just had a meeting with a customer to whom MFA is an absolute dealbreaker. Without it, they won’t use a Bubble app.

lisaalger · August 2, 2023, 10:32am

Is this still a premium feature or is it available to all now?

gerbertdelangen · August 2, 2023, 4:11pm

Available on the growth plan and above:

But easy to implement yourself (in case you want it for your users) using a service like Twilio.

Gerbert
MVP Design