Applications on Galaxy just got more secure. 💪 Introducing Two-Factor Authentication + App Protection

Hey everyone!

We’re excited to let you know that your Galaxy applications just got more secure, thanks to Two-Factor Authentication on all Meteor Developer Accounts (MDA) and App Protection on Galaxy Hosting.

Here’s a very brief summary of what we’ve added:

App Protection:

App Protection on Galaxy Hosting is a new feature in our proxy server layer that sits in front of every request to your application. This means that all requests across servers are analyzed and measured against expected limits.

If a type of request is classified as abusive (we’re not going to go into the specifics as to how we determine this), we will stop sending these requests to your app, and we start to return HTTP 429 (Too Many Requests).

Two-Factor Authentication:

The benefits of Two-Factor Authentication are obvious to all. Now it’s available for all Meteor Developer Accounts, and therefore all applications deployed to Galaxy.

To enable Two-Factor Authentication on your Meteor Developer Account, please login, then click on Security on the left hand side, then “enable”

See our blog post for more information on release, or check out the Galaxy docs about App Protection and Two-Factor Authentication.


Great news! Any chance there will be a version for 2FA for authenticator apps like Google Authenticator?


Galaxy is becoming more alluring each day, great stuff!


Hey @storyteller! We don’t have any immediate plans to introduce a version for authenticator apps, but this feedback is helpful. If enough requests roll in for it we’ll definitely put it on the roadmap :slight_smile:

1 Like

I reckon I’d use it. Mongodb Atlas does their 2factor through Authenticator as well, and I imagine quite a few users cross over between these two.

1 Like

Good to know! Thanks @jasongrishkoff, appreciate the feedback.

I’m curious about App Protection - is this rate-limiting on steroids or does this stop malicious attacks such as NoSQL injection? Is there more documentation available?

Hi, no, it’s not related to this kind of protection (NoSQL injection), this protection is related to Galaxy and network, you can read more here

It happens before the request reach your app, so it is a layer before rate-limiting, preventing malicious connections.