Two factor authentication and session management

Back to the overview
6 minute read

We have just deployed a new set of features to improve the security of your Tilaa account:

Session management

Imagine you logged in to your Tilaa account on a public computer and forgot to log off. Oops! In the past you had to wait for the session to expire, which could give a window for someone to abuse your account. Unacceptable!

Fortunately you now have the ability to get an overview of active login sessions and log out other login sessions remotely. For convenience the session list also shows the IP address, reverse hostname and the device you’ve logged in from.

If you are an account administrator you can also view and destroy login sessions on behalf of other users.

Two factor authentication

Account hijacks are an increasing problem and can be a serious threat to the security of your Tilaa account. For example, your client PC could be infected with a keylogger or one of your users is the unsuspecting victim of a phishing attack.

You can now protect your account to these kind of attacks by enabling Two factor authentication (2FA). We currently support two popular authentication methods: 

  1. Google authenticator is a free app for smart-phones and other mobile devices which generates time-based one-time passcodes (TOTP). Other TOTP apps (such as Authy or Microsoft authenticator) are also supported.
  2. We support YubiKey one-time passcodes, which offers an even higher level of security because (contrary to a mobile device such as a smartphone) a YubiKey can not easily be compromised. It requires a hardware dongle, which you can order online. Be sure to order one which supports “YUBIKEY OTP”. We don’t support FIDO U2F at this time.

To set up 2FA you will need to submit and verify your mobile phone number with an SMS code first. Should you somehow loose access to your 2FA device you can disable 2FA using your mobile phone number as a fallback mechanism.

Account administrators can configure a global 2FA policy which will be enforced for all users under the customer account.

Trusted devices

For some devices you trust you might want to skip two factor authentication. For example, when using our webapp on your smartphone it’s quite a hassle to copy/paste a code from your 2FA app to your mobile browser each time you log in. So you can choose to add a device to the trusted device list during the 2FA process.

You can review your trusted device list and remove devices individually you don’t want to trust anymore. Account administrators can remove trusted devices for all users under the customer account.

Security notifications

For account modifications which could potentially indicate an account compromise we are now sending email notifications: When 2FA is disabled for an account, when a device has been added to the trusted device list and if the login password has been changed.

We hope you like these new features, enjoy!

Share this article
Back to the overview