Security Updates This Week posted by: Steve Klabnik

At Balanced, we take security very seriously. We’re constantly on the lookout for ways to improve the way we do things, and security is no exception. This week, we landed three big improvements to different parts of Balanced that relate to secure operations: a security vulnerability disclosure policy, two-factor authentication on the Dashboard, and multiple API keys per marketplace.

Vulnerability disclosure

Vulnerabilities are both unfortunate and unavoidable. It’s incredibly important to set expectations around how disclosure of these vulnerabilities is handled.

To that end, we have a dedicated page, linked from our homepage, which clearly spells out our security disclosure guidelines: https://www.balancedpayments.com/security.

All of the work going into this policy was managed via this GitHub issue. If you read it, you’ll find that we took major cues from both Django and Rails’ policies when developing ours, with modifications where we differ.

We also are working on including the whole text of the key on the page, as well. If you’re not familliar with this distinction, the ‘key id’ we have on that page is basically a hash of the key’s contents. Hashes can contain collisions. While we have uploaded the key to public keyservers, it’s still good to replicate the full contents of the key. That will happen shortly.

One more thing to note about these guidelines: the page says “Mail sent to that address reaches a subset of the development team, limiting the exposure of the issue.” Currently, that subset consists of three people: Myself, Noah, and Mahmoud. The key was generated by Noah, and then shared with myself and Mahmoud using our personal keys. In essence, there are three copies of that private key. We feel this setup is simple, and fits our current needs.

Any future updates to this setup will be communicated through this blog, we won’t just change the page without announcement.

Two-factor authentication

Given that Balanced is an Open Company, we often get feature requests via GitHub, just how we like ‘em. A few months ago, a user requested two-factor authentication for the Dashboard. And now, we have it!

If you’re not familiar with two factor authentication, the idea is that you need two things (factors) to log in. Furthermore, the two factors are of different kinds. If we required two different passwords, that wouldn’t add a whole lot more security: someone could just steal both! In our implementation of two-factor authentication, we require you to know something (the password) and have something (your phone or some other computing device). If you enable two-factor authentication, someone could hack your Dashboard password, but they would also need to steal your phone in order to log in.

Here’s how it works: if you go to the account security page, you can click ‘enable’ to turn on two factor authentication. On your phone, download any compatible application: I prefer Authy. The Balanced Dashboard will generate a QR code, which you can then read via the Authy app. The app will then give you a code to confirm that everything is working, and then two-factor authentication is enabled for your account! The next time you log in, the Dashboard will prompt you for a token. Open up the app, and it will give you the token. Type it into the prompt on the Dashboard, and you’re good to go!

If you’re curious as to how this works, RFC 6238 is your guide.

Multiple API keys per marketplace

This isn’t so much a new feature as one that we’re just talking about now. And it lacks some polish, but given our open-ness, we like to talk about in-progress things too. It’s long been possible to programatically create and delete API keys, but it wasn’t really documented. We use this feature extensively for things like guest accounts, as well as creating a clean environment every time we run acceptance tests.

We recently had another situation where this feature was useful: A customer had their head developer leave the company. While they reached out to us to rotate their credentials, it’s not strictly necessary: with the right API calls, you can do this yourself.

We plan on enhancing this feature in the near future: right now, if you revoke your initial API key, the dashboard will lose its access. We’re planning on making it prompt you for updated credentials, rather than simply not working. If you want to rotate your initial API key before that ships, simply email support and we’ll fix it up for you.