Our DevTools team has been working on adding new security features, and we’ve released three today:
Two-factor Authentication
Security experts have been telling us for a long time that reusing passwords between sites is a poor security practice, but for just as long, users have been ignoring this advice. One thing we can do to mitigate this problem is to use two-factor authentication, which is now available in FogBugz and Kiln. It’s very easy to set up – just enable two-factor authentication on the user preferences page and we’ll walk you through it. You’ll need an authentication app on your phone, and then it’s as easy as scanning a QR code. Once two-factor authentication is turned on, you’ll be asked for a code from the app each time you log in. This means even if someone gets your password, they can’t get into your account without the current valid code. (full details on our help site)
Session Management
If you ever suspect that someone unauthorized has gotten into your account, then you want to be able to lock them out immediately. To this end, we have added a new Session Management page that administrators can access from the gear menu. This page displays all of the active login sessions, the IP addresses they originated from, and the time of last access. It also gives you three ways to invalidate tokens – you can delete individual tokens, all of the tokens for a user account, or you can choose the nuclear option and reset everything in the site. If you push the Big Red Button on the session management page, the current login sessions, Kiln SSH keys, RSS secrets, and passwords will be cleared for your entire site. The only way to log back in after this is to reset your password, using the “forgot my password” feature. You would only use the Big Red Button in the event of a real security breach. We hope you’ll never have to use it, but it’s nice to know it’s there. (full details on our help site)
True Delete
Whether by accident or on purpose, sensitive data can end up in FogBugz cases and Wiki articles. If you want to change the contents of a case comment or a Wiki page, you can do so, but FogBugz will keep a record of the previous versions. This is a good thing during normal use, but if a password, credit card number or login token is involved, the data needs to be completely purged.
The Wiki has always allowed you to do this: first make sure the article is not linked to from any other article, then delete it permanently from its info page. On the case page, Administrators can now completely delete any event (comments, edits, emails) by entering edit mode and clicking the ‘X’ next to it. (full details on our help site)
