Beacon 1.6.3: The Security Update
Published

Since Beacon gained online features, user security has worked pretty much the same way. When you sign into Beacon, your profile information is downloaded which includes your account's private key. This private key is encrypted with your password (or more specifically, a key derived from your password) and then stored on your computer. This unencrypted private key allows Beacon to use your account without ever needing your password again.

The trouble with this design comes from users giving out their passwords. They might find somebody to help with their project, that somebody signs into their account, and then won't sign out. The only solution is to generate a new private key, which breaks the encrypted data inside your projects and all your files stored in the cloud. Changing your password doesn't help because Beacon is not using your password.

Also, please don't do this. Beacon has project sharing features to avoid this. Never give your password to anybody for any reason.

No More Unencrypted Keys

As of Beacon 1.6.3, private keys will remain encrypted with your account password while stored on your device. This means if you change your password, your key stored on other devices won't decrypt for long.

Technically, the key will still decrypt using the old password, but Beacon checks for changes each launch. This is how relaunching Beacon gets it to notice when Omni has been purchased. So after the launch, Beacon will download new profile data, try to decrypt the private key with the old password, fail, and kick the user back to the login window. The profile data is also removed from the device at this time.

This new logic means Beacon needs to know your account password for every single run. This sounds inconvenient, but there's a solution to that too. When you log in now, there is a new "Login Automatically" option that will save your password. On macOS, this uses the system keychain. On Windows, your password is encrypted with a key derived from hardware identifiers, so it won't decrypt on a different device. With this option enabled, Beacon can automatically get your password and decrypt your private key each launch.

One Step Further

One potential problem with this design is it requires somebody to use the new version of Beacon. If they sign in with an older version of Beacon, they still have your unencrypted private key and we're back to square one. This is where two step authentication comes into play.

When you enable two step authentication for your account, older versions of Beacon cannot log in. Only Beacon 1.6.3 and newer is able to understand the second step.

To enable two step authentication, head to https://usebeacon.app/account/#security and you'll see a new "Authenticators" section. You can have multiple authenticators on your account, though at the moment only TOTP (like Google Authenticator) is supported. More options might be added in the future, though SMS will never be an option.

As with other implementations of two step authentication, you'll be presented with a QR code to scan, then you generate a code and continue. In Beacon's case, you can also give a nickname to the authenticator in case you add more than one. Most users won't have more than one authenticator.

Once your account has an authenticator, that's it, two step authentication is enabled for your account. Currently signed in sessions will continue to work, but cannot be renewed without signing in again. You can revoke sessions in the Sessions section of the account control panel. Your account will also gain 10 backup codes. Store these somewhere that they cannot be lost, as they can be used in place of a verification code should something happen to your authenticator.

    No Results

    Message

    Explanation