[New Feature] Two-Factor Authentication

This is a feature that we’re very excited to announce. Bubble now supports 2-factor authentication, and this applies both to your Bubble account and to apps built on Bubble!

With two-factor authentication turned on, anyone logging in as you to an app will need to have access to a mobile device linked to your account. We support using the Google Authenticator and Authy apps to link your device (though other TOTP apps should work as well).

Bubble Account
For your Bubble account, we can go to your account page and set up this protection. You should download the application that you want to use, and then scan the QR code that will be shown and enter the first token to activate 2FA. Once this is set up, you’ll be prompted to enter this code whenever you try to log in.

We strongly recommend setting up two-factor authentication to protect the security of your account.

You will also be able in the account page to generate some one-time back up codes, that you can use to log in when you lose your phone. It is important to keep these codes in a safe place.

Adding 2FA to your apps
You can now add 2FA protection to your apps as well (if you are on the Production plan). As our own app is built on Bubble, this use the same workflow actions. To se this up, you basically need 4 things:

  1. First, you need to activate 2FA to your app in the General tab of the Settings tab (note that the plan needs to be production for this to work).

  1. First, you need to build a workflow that users can run when they’re logged in to generate an individual QR code for their account. This action returns an image that you can display in a group that has an image element.

  2. Then you need a second workflow to validate the token and activate 2FA. This should be the token the users see when they scan the QR code.

  3. Lastly, you need to define a page where users will be redirected to to enter their token, and add a simple workflow there using the check 2FA Token action. Once a user has been through that workflow, he/she will be logged in.

  4. Optionally, you can add some actions to disable 2FA, or generate back up codes. You can also access the 2FA status of a user by doing Current User’s 2FA activated (which returns yes/no).

Here is the detail for the different actions: Bubble account security - Bubble Docs

This will help building more secure apps.

42 Likes

Nice!!!

1 Like

:heart_eyes: Brilliant. Thank you!

2 Likes

Woah :ok_hand:t3:

Great! Thank You!

Thank you!!

Keen to know if anyone has been successful if getting this to work?

Cheers

Is this feature available for Marketplace Sellers? I am creating a dashboard where I want to integrate this feature.

You want to add this to your app? If so, you should put on your a Production plan.

Hey @emmanuel,

Is it possible to get an option where a code can be texted to the user? Instead of just through one of the apps?

2 Likes

Yeah, I am with you @adam5. I’m a cyber security professional; in fact my first app is a cyber security app. It’s a brand new app and I am a startup; I can’t afford the near-$6000 per year price tag to enable my users to have MFA. In this day and age, pay-gating cyber security seems ludicrous. @emmanuel – this is all kinds of wrong. Offering our clients proper security shouldn’t be $6000 per year!

8 Likes

I’d like to second this. Security is a crucial thing to many users, regardless of the plan. I understand that we have to pay more to get more (and I’m very grateful about everything that Bubble allows us to build/create for such a low price), but 2FA should not just be available to the Production Plan I think. I would even prefer a custom additional price per month for 2FA over being forced to take a plan that you otherwise don’t need (and can’t pay)

7 Likes

Can this be made available on the personal plan with a one off payment? Don’t think I’d be alone in using this. Would help set bubble apart and help prevent harmful press for this great company.

3 Likes

@emmanuel , a consideration here is startup companies seeking cybersecurity insurance who get charged a premium without 2FA. I’m getting this insurance myself for a medical startup but can’t justify the $529 production plan while starting out.

3 Likes

Just to stress the point: I just had a meeting with a customer to whom MFA is an absolute dealbreaker. Without it, they won’t use a Bubble app.

1 Like

Is this still a premium feature or is it available to all now?

Available on the growth plan and above:

But easy to implement yourself (in case you want it for your users) using a service like Twilio.

Gerbert
MVP Design

I am not able to make this work
is it possible to have more detailed instructions?

When you have 2FA enabled log the user in must be the last step in the workflow
and how should i know who the user is for 2FA before logging the user in?

1 Like

Buenos días.

Al intentar habilitar 2fa en mi aplicación me encontré con los siguientes.

Tengo mi página de inciar session donde ejecuto el proceso LOG DE USER IN
en donde el usuario teclea su email y password

Adicional cree una página llamada mfa donde tengo el proceso CHECK 2FA TOKEN y la configure en las opciones generales.

De esta forma me indica que el log de user in debe estar en la página MFA y debe ser el último paso a lo que mi pregunta es la siguiente.

En las recomendaciones indican que se debe crear una página para el CHECK2FA TOKEN pero entonces la página iniciar sesión no se requiere y todo debe estar en la misma página?? (Pagina MFA)

Si se requieren 2 paginas (Iniciar Session y MFA) que accion debo ejecutar en iniciar session?? Seria un Go to page MFA y envio el user y el password en la URL o cual seria lo mas conveniente ??

Con MFA despues de log de user in no puedes poner acciones como GO TO PAGE, Como se soluciona este caso ??

Tendran algun tutotial detallado sobre el metodo correcto de configuración??

This feature is great, and I am in the process of implementing it for a client.

However, I can’t find a way to disable 2FA for another user via an action in a workflow. I would like to add the function for administrators in the application to be able to do this. Currently, the only method I’ve found is to update the record in the database directly, which is not accessible to application administrators.

Is anyone aware of a way to do this that I’m missing? I couldn’t find any documentation related to this, but I expected to find this functionality.

Thanks for your help!