Soon, SMS verification will no longer be supported on Newton. We're also adding support for more authenticator apps, along with security key and biometric authentication (such as face id or fingerprint id). These changes will take effect when we migrate to a new authentication system.

Following migration, users will need to log in to the app to set up their preferred authentication method. Read on for more details.

Topics

• Why is this happening?
• How will this affect the login process?
• Do you recommend one MFA method over another?
• What happens if you only use Newton on the web and don't have a smartphone?
• What do you need to know?

Why is this happening?

At Newton, our apps are built with security in mind. However, we are constantly looking for ways to increase security on our platform. This is why we will be conducting a migration to a more secure authentication system. As a result, we will sunset SMS as a two-factor authentication method and will require that Newton users use the most secure authentication methods.

How will this affect the login process?

Following the migration, you will have to login to the app and set up your new two-factor authentication (2FA) / multi-factor authentication (MFA) method on Newton.

All users will need to set up one of the following MFA options:

• Authenticator app (such as Authy and Google Authenticator)
• Security key (such as a YubiKey)
• Authenticator app + biometric authentication (biometric login would be the default on supported devices, authenticator app would be the fallback MFA option)
• Security key + biometric authentication (biometric login would be the default on supported devices, authenticator app would be the fallback MFA option)

Following initial set up, the next time you login you will be prompted to do MFA using either an authenticator app, security key or biometric authentication, depending on the method you set up.

Do you recommend one MFA method over the other?

Hardware security keys, such as Yubikey, are the most secure option.. Biometric authentication is convenient and nearly as effective as security keys, but not all devices support it. Both options are phishing-resistant, meaning that they will not work on malicious clones of our apps and websites even if the attackers are able to trick customers into using them. 

In contrast, verification by SMS and email are both less secure than through an authenticator app. With SMS verification, codes are delivered to a phone number. This means that a hacker could perform a “SIM swap” attack to gain access  to your phone number and route the verification code to their own device. With email verification, codes are delivered via email. If a hacker gains access to your email inbox then they could intercept email codes delivered to your inbox.

An authenticator app is more secure than email or sms. With an authenticator app, authentication is linked to your specific device. As such, a hacker will not be able to route the code to their own device. Furthermore, authenticator app codes are time-limited and usually valid for no more than 30 seconds. You can use any authenticator app, including Authy, as your app of choice. 

While authenticator apps are more secure than SMS and email, they do not offer the same phishing-resistance as hardware security keys or device biometrics. For that reason, we recommend that all our customers use a hardware security key in combination with biometric authentication whenever possible, in addition to using biometrics to unlock the app on mobile devices. 

What happens if you only use Newton on the web and don't have a smartphone?

We recommend you use an authenticator app on a different device or a security key. However, if you do not have access to either one of those, you can use a desktop authenticator app, such as Authy.

What do you need to know?

We will perform maintenance on the app to implement the changes over a 2 to 4 hour window. During the migration, the app will be down. We will send an email notice to all users a day before the migration.

Following the migration, Newton users will no longer be able to use SMS as their 2FA/MFA authentication method. 

All users should log in to their Newton accounts to select and set up their MFA method.

Future updates will be posted here as well as on our social media. All users will also receive an email notice on the release date.