Sometimes we are asked whether Sporty provides 2FA (two factor authentication) or MFA (multi-factor authentication) for accessing the platform. If you want people from your organisation to be required to use 2FA each time they need to login, please email your request to support@sportsground.com.
What is 2FA and MFA?
Most online services use a username/password combination for logging in. This traditional method of user access control works well, especially when the service provider has taken steps to prevent brute force attacks (where an attacker automatically tries millions of username/password combinations in the hope of finding one that works).
However, sometimes a username/password combination is compromised because of poor security behaviour by the user. For example:
- (a) a user might choose a weak password (such as "1234" or the word "password") or
- (b) the user might use the same username/password combination for multiple sites and one of those other sites might fail to encrypt username/password combinations and therefore these could be exposed if that site was subsequently breached
To help protect people whose username/password combination is insecure, some online services add an extra layer of security before users can login. This is sometimes called "Two-Step Verification" or "Two-Factor Authentication" or "Multifactor Authentication". In these instances, when you sign in for the first time on a new device or app (like a web browser) you need more than just a username and password. You need a second verification method or "factor" to prove who you are.
Each "factor" is one way of confirming your identity when you sign in. For example, a password is one type of factor, being a thing that you know. The three most common kinds of factors are:
- Something you know - Like a password or a PIN
- Something you have - Like a phone, access to an email account, or a secure USB key (dongle)
- Something you are - Like a fingerprint, or facial recognition
Some services require users to have a second factor of identification to protect people who choose weak passwords or happen to use the same username/password combination on another site whose security was breached.
Why doesn't every online platform require 2FA or MFA?
The main reasons that some sites prefer not to require 2FA or MFA are:
- Dependency on devices/email access: if you happen to not have access to your second factor (like your phone or your email) at the time you need it, you'll be unable to login. This is frustrating, especially for educated users who practice good security behaviour by using strong passwords and not reusing passwords.
- Implementation costs: setting up and maintaining 2FA/MFA systems can be costly and require ongoing management.
- Increased login time and complexity: the extra step can make the login process take a little longer, which some people find inconvenient, especially when they just want to perform a quick task.
Most service providers weigh and balance the cost and inconvenience of 2FA/MFA compared with the risk of what an unauthorised user could see or do once logged in. They also consider how educated the authorised users are likely to be in relation to security. If authorised users follow good security practices and the site is built to prevent brute force attacks (for example, by limiting the number of login attempts), then 2FA/MFA is often deemed to introduce unnecessary inconvenience.
What is Sporty's position on 2FA/MFA?
We recommend that organisations enable 2FA for their logins to the Sporty platform. However, we acknowledge that many organisations do not want the inconvenience or to spend the extra time and effort whenever they need to login. Therefore, we have made 2FA optional on an organisation-by-organisation basis so you can decide whether or not your own policy requires your administrators to adopt it.
Many platforms that support 2FA (such as Xero) still allow people to click a "Remember me" checkbox that avoids the need for further authentication with that browser or device indefinitely or for a set number of days. Sporty also supports the ability for each organisation to decide how many days the "Remember me" function will work until the user is required to reauthenticate via 2FA.
What method of 2FA does Sporty support?
Sporty uses a username/password combination as the first factor and a one-time-code sent to your email address as the second factor. Once 2FA is enabled for your organisation, your administrators will need to successfully navigate both steps whenever they need to login.
Once they correctly enter their username/password combination, they will see a pop-up message that states:
Check your email
We’ve sent a magic link/code to [LARGELY OBSCURED EMAIL ADDRESS]
Please click the link in your email or enter the code below to access your account.
If you don’t see the email, it should arrive within a few minutes. Make sure to check your spam or junk folder.
Didn’t receive the email? Resend the code.
Don't have access to this email? Contact your organisation to modify the email address associated with your account.
The person must then clear their email and either click a one-time-link or copy and paste a one-time-code to complete their login:
If you want people from your organisation to be required to use 2FA each time they need to login, please email your request to support@sportsground.com.
Further info
Sporty encrypts username/password combinations so that in the unlikely event the platform is ever breached, Sporty will not be exposing these credentials in a way that can be used to access other sites. Sporty also has inbuilt protection from bots and a number of security measures that successfully thwart brute force login attempts. In over 15 years of service, we have never had one instance reported where someone has successfully logged in illegally using another person's credentials.