While Americans were feasting on turkey and stuffing yesterday*, Francesco was back in Italy putting the final touches on the next release: Two Factor Authentication.

This is a first roll-out using a  one time code which will be sent to you via email during sign in to your Passpack account. You can choose the email you’d like to receive the code at, and whether or not you’d like it to be required all the time, or (my favorite) only when your Welcome Message is inactive.

This feature is completely optional. To set up a second factor of authentication, choose Two Factor Authentication from your Settings menu.

Two Step Login AND Two Factor Authentication

Passpack uses a two-step login. First step, the user has to be recognized – with User ID and Password or via a 3rd Party (Yahoo, Facebook, Twitter, etc.), second step is our famous Packing Key.

Most of you know that your Packing Key is known only to you and decrypts your data directly in the browser. But what some of you may not realize is that we also use it as an additional authentication step. This is because your data will only be released by the server to your browser if a hash of your Packing Key matches the one stored.

This approach is clearly safer than any other two-step approach. So, we have always been reluctant to add a “traditional” second factor of authentication. However, since there are a few users that periodically ask us for it, we decided to introduce some form of Two Factor Authentication.

We started with a simple one: a One Time Password (OTP) via email.

How to Set Up Two Factor Authentication

Go to the Settings tab and launch the command Two Factor Authentication. Passpack verifies the configuration and lists the available factors. Continue and, in the next screen, choose the email address where the OTP will sent. Also, you can choose to activate the second factor only when your Welcome Message doesn’t appear – for example, when you aren’t connected with your own PC.

In the next step Passpack will send you a test OTP to verify that you can receive it without issues (ex. excessive waiting time, anti-spam filters, etc.). Simply check your mailbox, copy the OTP from the message and paste it in the field to complete the process.

Please be aware that if you set this up, you must have access to your mailbox before logging into Passpack (don’t create a catch 22 folks!).

* Sorry, just HAD to get a reference to the turkey in here somehow [wink]


  1. Mike Christiansen

    That’s awesome, but that’s not really two factor authentication…

    1. What you know (Password)
    2. What you have (Security Token)
    3. Who you are (Biometrics)

    A one time password to my e-mail is just another instance of factor 1…

    So, we have the following:
    1. Username
    2. Password
    3. Packing Key
    4. One Time Password

    We have 4x 1 Factor authentications and 0x 2 Factor authentications.

  2. Francesco

    Hello Mike,

    I agree with you. This is not a real second factor. But, first of all, I had to develope a way to intersect the sign in process with a further step. Now we are ready to add more factors. What’s your suggestion for the next one?

  3. Dan

    Have a look at PhoneFactor.com. It looks promising and it’s probably quite easy to implement. And I’m not affiliated with them in any way…

    Another simple alternative to the email OTP would be an SMS OTP.

  4. Francesco

    Hi Dan,

    I tested PhoneFactor a year ago, and it worked perfectly. But it is free only for a limited number of users.We would have to introduce a prepaid credits plan in order to fully support it. The same is for SMS.

    So I preferred to start implementing Yubikey. I know that a Yubikey is not free, but I if you have one, you’re free to use it.

  5. Jordan

    I think a keyfob token, like RSA SecurID, that displays a one-time password you can type in would be useful.

  6. Ryan

    I would be willing to pay for a keyfob token. I would also be willing to pay per-use for SMS tokens.

  7. Dan

    Have you looked at using the VeriSign cards that PayPal uses? If you were able to use the same VeriSign backend for free, your users could use the same cards as they use for PayPal and that you can purchase from PayPal for $5.

    Alternatively, is there a way to force the Third Party login to be the *only* valid login to PassPack? That way, you could leave the whole two-factor issue up to the Third Party, such as OpenID or Yubikey.

    Finally, you might want to offer two levels of two-factor authentication availability: a free one that doesn’t cost you on the backend, and other options, such as PhoneFactor, that are only available to your paid subscribers. You could even offer such options as features on top of your paid subscription price.



  8. You likely don’t need a separate SMS OTP/token implementation. Most telephone companies provide an email to SMS gateway, so the existing email support is sufficient to accomplish the same thing.


Leave a Reply