Secure Acquia accounts with two-step verification and strong passwords

Today I’m proud to announce the general availability of three new authentication and access control security features for the Acquia Network. The following features will help ensure the security of your account and sites on Acquia Cloud by securing the sign-in process and enabling subscription-based access controls on the Acquia Network:

  1. Two-step verification (a.k.a. 2FA)
  2. Strong password enforcement
  3. IP address access control

Any user may set up two-step verification on their Acquia account; IP address control and password strength requirements can also be enforced for all team members and contacts accessing your Acquia Subscription. Continue reading to learn how these features work or go to the Acquia Library to get started right away.

Two-step verification for stronger identity verification

Normal authentication involves providing the system with something you know––a username and password. “Multi-factor authentication” involves proving your identity using multiple factors, such as something you know and something you have. One of the most common ways to accomplish this is to rely on the authenticating person having a mobile phone. A unique code sent to or generated by the mobile phone is used along with your username and password to sign in.

Acquia now supports two-step verification for signing into your Acquia account with these mobile phone integrations:

  1. Generating codes using authenticator apps on your mobile device (e.g. Google Authenticator)
  2. Sending a text message (SMS) to your phone (US or Canadian numbers only)

Acquia two-step verification sign in screenshot

Additionally, you can mark your browser as “trusted” so you don’t have to go through verification again for 30 days. Finally, as part of setup, you will receive a set of recovery codes that you can use should you get locked out of your account. Learn more about two-step verification and how to enable for your account.

Realistic password measurement and complexity enforcement

As recent account information leaks have shown, people often set weak account passwords and reuse passwords across different sites and systems. Despite these problems, password-based authentication will not be disappearing anytime soon, as it is prevalent, understood by most people, and appropriate for many cases.

The Acquia Network already has mitigation against brute-force password attempts as part of Drupal 7. But in an effort to motivate for more secure passwords (and for subscription enforcement) we’ve deployed a more realistic password strength measurement tool.

Password strength test showing weak password due to use of common words and low character count.

Simplistic password enforcement tools check only on strict rules like string length and amount of varying character types (symbols, numbers, uppercase letters, etc). It’s easy to see that a password like “Password1” is not really any more secure than “password”, but the addition of an uppercase letter and number is often enough to satisfy simple measurement tools.

Instead of checking on strict rules, we measure the strength of your password by finding the patterns within and totaling the entropy of the most-likely patterns. Patterns we can detect in passwords include:

  • Words that are found in a dictionary of common words, common first and last names, or common passwords.
  • Words that are found in the dictionary, but with common "1337" or "leet" substitutions, such as 4 or @ for a, and 5 for s.
  • Common sequences of letters (abcde), numbers (12345), or characters near each other on a keyboard (qwerty).
  • Three or more repeated characters.
  • Dates or years, such as "1921" or "19-11-1978."

There’s a lot more that can be said on this topic, but for the purposes of ensuring your password is less prone to abuse by an attacker I encourage Acquia customers to set a new, stronger password. Also, like two-step verification, you can require team members and subscription contacts to have a certain level of password strength to access your subscription.

IP address whitelisting

By default, you, your team members, and contacts can access your subscriptions from any IP address. That makes sense for the vast majority of sites on the Acquia Network, but for the specific cases where you want to really lock down that access, you can now specify a list of approved IP addresses. Any connection attempts from IPs outside that list will be unable to access your subscriptions and sites on the Acquia Network. Read more about enabling IP address restrictions.

Get started with account security on Acquia Cloud

Adding two-step verification, setting a stronger password, and IP whitelisting on your account are important methods for improving the security of your Acquia account and sites. Read about how to set these up on the Acquia Library or sign up for a free Acquia Cloud account to get started. In later posts I'll go into detail about the technology and open-source tools you can use for enhanced security on your own Drupal sites.

Learn more with our Security team

Interested in defense-in-depth security measures for protecting your sites? Join me and other members of the Acquia security team at two upcoming events.

Online presentation: Best Practices for Drupal Security, April 30, 1pm EDT

We’re also offering a full day Drupal security training at DrupalCon Austin. While Drupal is a secure and mature web application, it can be built and configured insecurely or even deployed in an unsafe environment; join us May 2nd in Austin to learn about common security risks on the web and how you can build and maintain secure Drupal sites. Register for the training now to save $75.