Two factor authentication available

All information in ShadowTrackr is found on or derived from things found on the public internet. No special internal access, firewall rules or agents on endpoints are needed. Still, the convenient overview of your attack surface and all your weak spots in one place can be quite sensitive as a whole.

Also, you can have ShadowTrackr scan for sensitive keywords on the internet. Think of specific non-public emails addresses for VIPs, or literal texts from documents that you think might end up published on Pastebin and the like. These will be visible in Shadowtrackr after login.

The above prompted some clients to ask for two factor authentication. The good news is that it has been silently added a few weeks ago and is working properly. Time-based One-time Password (TOTP, see RFC6238) are the thing now, and I choose for the ubiquitous and easy to use Google Authenticator app.

To enable it, go to the Account tab in Settings and set Authentication to “2fa with Google Authenticator”. You’ll be presented a QR code that you have to scan in the Google Authenticator app on your smartphone. If you don’t have the app you should install it first from the Google Play or Apple App Store. Note that all other users you have will be forced to enable Google Authenticator too on their next login.

If you ever have to reinstall Google Authenticator one day (new phone? different brand?) you will have a bad day. Unless of course you have saved the initial QR code in a safe place and just rescan it in the app. I recommend printing it on unhackable paper and putting it in your safe.