How We Extended Google 2FA to Every SaaS App


Literally everyone in the world has already told you to use two-factor auth (2FA) to log in. And they're right. It's awesome:


One advantage of using a provider like Google for 2FA is that you also get to use the added layer of authentication for any apps that support Google sign-in. I talked about this in a previous post: I'm a strong believer in outsourcing auth for SaaS apps in most cases. This is why at Meldium we not only allow people to log in with Google, we encourage it. When I log in to my personal Meldium instance, I sign in with a Google account, and if my device has not been verified, I'll be prompted for a verification code.

We realized (almost by accident) as we were building Meldium that we had unlocked an incredibly powerful combination of features: if you can use Google 2FA to sign in to Meldium, and you can use Meldium to sign in to third-party apps, then you effectively have 2FA for all 160 apps (and counting) that Meldium supports.

Even if a service provider doesn't have their own 2FA implementation, you can just cache that provider's credentials in Meldium's secure vault, and use Google 2FA along with the Meldium launcher to log in to that provider. Twitter hasn't added 2FA yet? Just generate a strong password, store it in Meldium, and share it with those who need it.

In addition to Google OAuth2, we are looking at adding support for other 2FA providers and devices like the Yubikey - contact us if you're interested and we'll let you know as soon as you can try it.

What do you think? Join the dicussion on Hacker News.

Update 10/21/2013

One of our readers reminded us that there is an important caveat in all this: if a hacker obtains the password to the target site, they can sign in without a second factor. If the target site supports 2FA then you should strongly consider turning it on. For all the sites that don't, we recommend you set a very strong password and use a bridge like Meldium (which now supports over 800 apps).