For any technology business, security should be a core focus from day one. Here at tray.io we take security extremely seriously. We have always made sure to avoid storing sensitive data for longer than is necessary and to encrypt data where possible.
Today we are delighted to announce we have put the finishing touches on some major enhancements that will help keep your accounts and data even more secure as you use the platform.
Two Factor Authentication
First and foremost we have added Two Factor Authentication (2FA) support so you can add a second layer of security to protect fraudulent access to your tray.io account.
Two Factor Authentication is an industry standard implementation of Multi Factor Authentication which requires two seperate methods of verifying your identity when you try to access tray.io services. We have taken the Time-based One-time Password (TOTP) approach which requires you to use a compatible smartphone app such as Google Authenticator (iOS or Android) or Authy (iOS or Android).
To get started with 2FA head to your profile page and click Enable Two Factor Authentication and follow the instructions:
Once 2FA is enabled, you will be prompted to verify your identity using your smart phone every time you use a new browser/computer or when your session expires.
You will also be given a backup code which you should store somewhere safe in case you lose access to your 2FA application. This backup code can be used in place of the standard smart phone password when you are prompted to verify your identity.
Improved Session Management
Along with 2FA we have rewritten how sessions work and made session management much more powerful. If you head again to your profile page you will see a new section showing you all of the currently active sessions that are accessing your tray.io account.
From here you can see the location, ip address, browser and operating system that is being used to access your account, and can revoke these sessions if you don't recognise them.
A common security hole that many companies ignore is allowing users to perform significant actions on their account without re-prompting for their password again.
Imagine if you were sitting in a public place and left your tray.io account logged in and exposed. Anyone could jump on your computer while you were not looking and change your email address or delete your whole account. From now on, any major account action such as changing passwords or enabling/disabling 2FA will prompt you to re-enter your password.
The final part of our security improvements has been to work with the great team at Castle to highlight threats to our platform and users accounts.
Castle analyses the actions your users take and uses them to build intelligent models of user behaviour. These models can be used to highlight unusual or suspicious activity on a users account. In the case of a legitimate threat to the platform we can take actions to mitigate the threats such as notifying the users of the suspicious activity.
Part of my job at tray.io is to make sure we are always on top of the latest security practices and procedures, and for that reason security is an ongoing investigation that should never stop. Stay tuned for future posts related to new security improvements and how we already deal with things like data encryption.