Updates to DigitalOcean Two-factor Authentication

Today we’d like to talk about security.

We know how challenging it can be to balance security and usability. The user experience around security features can often feel like an afterthought, but we believe that shouldn’t be the case. Usability is just as important when it comes to security as any other part of your product because added friction can lead users to make less-secure choices. Today, we want to share with you some updates we rolled out this week to our two-factor login features to make them easier to use.

Our previous version required both SMS and an authenticator app to enable two-factor authentication. While SMS can work in a crunch, it’s no longer as secure as it once was, delivery for our international customers wasn’t always reliable, and tying both methods for authentication to the same mobile device definitely wasn’t a great experience for anyone whose phone was unavailable.

Our new two-factor authentication features allow developers to choose between an authenticator app or SMS as a primary method, and between downloadable codes, authenticator app, or SMS as backup methods. This way SMS stays an option, but isn’t a necessary part of securing access to your DigitalOcean account.

To take a look at the changes and enable it on your account, simply navigate to Settings and click the link in your profile to “Enable two-factor authentication.”

Making two-factor authentication a little easier and more broadly available is just a first step. We believe securing access to your infrastructure should be as simple as it is to spin up a few Droplets and a Load Balancer.

Do you have any suggestions for how we can help make security easier? We want to hear from you. We’re already considering features like YubiKey support. What else would you like to see? Please reach out to us on our UserVoice or let us know in the comments below.

Nick Vigier - Director of Security

Josh Viney - Product Manager, Customer Experience