Substack Rolls out Two-Factor Authentication for Users

More than four years after launching, Substack finally adopts what is considered a security best standard.

Substack Rolls out Two-Factor Authentication for Users

More than four years after it launched in 2017, Substack is implementing two-factor authentication today for writers on its platform.

The opt-in security feature will add protection against hacking by asking account holders to provide a single-use sign-in code, in addition to their username and password, to access accounts.

It will initially be available only to writers and other account holders who log in through Substack's web platform, but the company plans to make it available for users of its new mobile app soon.

“We want all users to be able to take advantage of this increased account security, but the priority is to protect writers' dashboards, which are only accessible via web,” spokeswoman Lulu Cheng Meservey wrote in an email to me last week.

It’s not clear why it took Substack so long to adopt what is considered a critical security feature. Substack has recruited a number of high-profile and controversial writers to its platform in recent years — including journalist Glenn Greenwald, opinion writer Bari Weiss and NSA leaker and whistleblower Edward Snowden — all of whom would be attractive targets for hackers who want to hijack their accounts to publish or send embarrassing messages to their readers. Substack currently has more than 1 million paid subscribers and millions more who receive content to their email addresses without paying.

Two- or multi-factor authentication has been an industry security standard for years, and security experts have long urged users and providers of web services to enable it to secure their accounts.

Google began to make it available to its users in 2010 and 2011 after nation-state hackers from China attempted to access the Gmail accounts of Chinese human rights activists. In 2011, Facebook and Yahoo made it available for their users, as did Dropbox in 2012 and Twitter in 2013, following the breach of 33 high-profile Twitter accounts, including then-president-elect Barack Obama’s campaign account, Britney Spears and the official feeds for Fox News and CBS. Apple enabled it for its iCloud users in 2014 after hackers stole the photos of numerous female celebrities.

Despite this history, Substack actively recruited controversial writers to its platform without having this security feature in place.

In October 2020, Glenn Greenwald resigned from The Intercept and joined Substack, and about ten weeks later, controversial former New York Times opinion writer Bari Weiss launched a Substack publication as well. Last June, Snowden announced the launch of his Substack publication.

Substack has also been embroiled in controversy over its courting of writers like Jesse Singel, Abigail Shrier, and Graham Linehan, who have been labeled “transphobic” for their opposition to the rights of transgender people.

Asked about the delay in making multi-factor authentication available to its writers, Cheng Meservey wrote, “This was a feature we had wanted to build for a while. A successful proof-of-concept [in December] combined with a few writers requesting it brought it to the top of the list.”

Cheng Meservey didn’t say whether any accounts had been breached to date.

Substack was launched in 2017 and has raised more than $82.4 million from investors, including Y Combinator and Andreessen Horowitz, but the company doesn’t currently have a chief information security officer. Asked if it has a dedicated security team, Cheng Meservey replied, “We have people focused on security and will have more as we continue to grow.”

Last September, I contacted Substack co-founder Hamish McKenzie about Substack’s lack of multi-factor authentication as well as another security issue with author accounts. Substack allows writers to sign into their dashboards using a log-in link sent to them via email (in lieu of a username and password). The links, however, remained live for 24 hours or more, although security best practices call for them to expire after an hour or so. Substack engineers promptly fixed the latter issue — the log-in links now expire after an hour — but multi-factor authentication remained an open concern.

McKenzie wrote in an email at the time that two-factor authentication was “on the books,” but he didn’t say when it would be available. Substack contacted me last month to say they had implemented multi-factor authentication for my account to test it in beta, then contacted me last week to say it would be rolled out today. The company added an explanation about how to enable two-factor authentication to its user support page about two weeks ago.

With multi-factor authentication, users obtain a sign-in code via a text message sent to their phone or generated by a hardware token they posses or an application installed on their phone. Because it requires users to provide something they know — username and password — something they possess (a randomly generated code that expires after a period of time) or something biometric on their person (fingerprint or iris scan) it prevents hackers from obtaining access to accounts if all they have is a username and password, which can be easily stolen through phishing scams or data breaches.