Slack, the popular enterprise workspace collaboration tool and IRC clone, does not offer end-to-end encryption, making any breach of Slack’s servers potentially catastrophic for users around the world. If you or your organization would suffer severe damage if internal Slack conversations leaked, then it’s time to either consider encrypted Slack alternatives or mitigate the risk by locking down your Slack workspaces. We caught up with Andrew Ford Lyons, a technologist working on digital security for at-risk groups at Internews in the UK, for his advice.
While none of these tips can fully protect you from a breach at Slack, or any of the other threats to the confidentiality of your Slack workspaces, they can make the inevitable less catastrophic.
1. Enable two-factor authentication (2FA)
Slack offers 2FA. It’s good. It’s usable. Use it. It won’t protect you if Slack gets breached, but it will make it difficult for attackers to phish you or your organization.
Slack supports Google Authenticator, Duo Mobile, Authy, 1Password and (in the unlikely event you’re using a Windows Phone) Microsoft Authenticator, depending on what mobile device you’re using. Slack also supports SMS 2FA, which you should not ever use unless you can’t avoid it. While any 2FA is better than nothing, SMS 2FA is far less secure than using a soft token.
There’s no sign of hard token (think: Yubikey) support for Slack yet. Yubico, the leading hard token maker, announced in January its support for mobile devices. Larger organizations concerned about account security might drop Slack a friendly note asking when to expect Yubikey support.