DEV Community

Code[ish]

69. Designing a Better 2FA Mobile App

Chris Castle, a developer advocate at Salesforce, is joined by Evan Grim, a software architect at Salesforce responsible for the Salesforce Authenticator mobile app. Salesforce Authenticator is a component of a two-factor authentication flow. After a user signs in to their Salesforce organization, the mobile app will generate a secure code which is used to provide additional verification. This guarantees that even if a user's password is compromised, a hacker won't be able to login unless they have access to your phone, too.

Experiencing a flow like this has become commonplace, with banks and other websites taking a security-first approach to their user experience. What's starting to change is the way these 2FA apps work. For example, Evan has built a flow where the Salesforce Authenticator uses geolocation to identify where you are. If you log in to a website from the same location enough times to establish a pattern, the app can send the security code automatically, without you needing to type anything in. Evan is very interested in exploring further trends where safety is not compromised for the sake of usability.

For the remainder of the episode, Chris and Evan discuss the fundamentals of the technologies and systems used to build the app. Evan believes that keeping things simple is paramount to any software project. For many years, the Salesforce Authenticator backend was situated in one region, and it served them well. Now that the app has become more popular, they are considering the complexities of multi-region support, including sharding their Postgres database. Their trade-off for focusing on adoption over sophistication has paid off, as it often does. Now that their idea has been validated, they can plan to rearchitect their app to support increased volume from a growing security-conscious user base.

Episode source