SMS verification is no longer supported on Newton. We've also added support for more authenticator apps, along with a security key and biometric authentication (such as face id or fingerprint id). 

Users now need to log in to the app to set up their preferred authentication method. Read on for more details.

Topics

• Why did we make this change?
• How will this affect the login process?
• Do you recommend one MFA method over another?
• What happens if you only use Newton on the web and don't have a smartphone?

Why did we make this change?

At Newton, our apps are built with security in mind. However, we are constantly looking for ways to increase security on our platform. This is why we conducted a migration to a more secure authentication system. As a result, we sunset SMS as a two-factor authentication method and require that Newton users use the most secure authentication methods.

How has this affected the login process?

You now have to log in to the app and set up your new two-factor authentication (2FA) / multi-factor authentication (MFA) method on Newton.

All users will need to set up one of the following MFA options:

• Authenticator app (such as Authy and Google Authenticator)
• Security key (such as a YubiKey)
• Authenticator app + biometric authentication (biometric login would be the default on supported devices, authenticator app would be the fallback MFA option)
• Security key + biometric authentication (biometric login would be the default on supported devices, authenticator app would be the fallback MFA option)

Following initial setup, the next time you log in you will be prompted to do MFA using either an authenticator app, security key, or biometric authentication, depending on the method you set up.

Do you recommend one MFA method over the other?

Hardware security keys, such as Yubikey, are the most secure option.. Biometric authentication is convenient and nearly as effective as security keys, but not all devices support it. Both options are phishing-resistant, meaning that they will not work on malicious clones of our apps and websites even if the attackers are able to trick customers into using them. 

In contrast, verification by SMS and email are both less secure than through an authenticator app. With SMS verification, codes are delivered to a phone number. This means that a hacker could perform a “SIM swap” attack to gain access to your phone number and route the verification code to your own device. With email verification, codes are delivered via email. If a hacker gains access to your email inbox then they could intercept email codes delivered to your inbox.

An authenticator app is more secure than email or sms. With an authenticator app, authentication is linked to your specific device. As such, a hacker will not be able to route the code to their own device. Furthermore, authenticator app codes are time-limited and usually valid for no more than 30 seconds. You can use any authenticator app, including Authy, as your app of choice. 

While authenticator apps are more secure than SMS and email, they do not offer the same phishing-resistance as hardware security keys or device biometrics. For that reason, we recommend that all our customers use a hardware security key in combination with biometric authentication whenever possible, in addition to using biometrics to unlock the app on mobile devices. 

What happens if you only use Newton on the web and don't have a smartphone?

We recommend you use an authenticator app on a different device or a security key. However, if you do not have access to either one of those, you can use a desktop authenticator app, such as Authy.