Walking hand in hand with latest security standards, Etsy has introduced a set of three security features for its website; two factor authentication, full site SSL support, and viewable login history data. As of now, Etsy is offering these features to its members on an opt-in basis as a commitment to account safety, and owing to rising security concerns across the web.

Talking about the two-factor authentication, users signing into Etsy from a new browser, and every 30 days in the same browser, will be asked to enter a second code after the password when signing in. This second code will be generated and sent to their phone via SMS or voice call at the time of sign in. Etsy used A/B testing technique for this feature testing and implementation.

With Login History, you can go to the Security Settings page to view the ten most recent logins to your Etsy account by location, making easy to access the last visited or viewed pages.

Among all these, what’s more important is the full site SSL that Etsy has implemented on its site.

Interestingly, the Etsy Security Team has described their complete experience of implementing the SSL feature, which was not very smooth. Initially, it looked like a simple change, and started with set up a test where they attempted to make the site fully SSL by disabling the load balancer rules that forced some pages down to HTTP. But this resulted into a thrilling explosion in the error logs! So, they started up again by making all codebase HTTPS friendly. It was followed by moving the logic for enforcing whether a URL could be HTTP, HTTPS, or both from the load balancer to the application itself. The entire process involved close Dev-Ops collaboration.

Why Etsy introduced the site SSL feature on an opt-in basis is because their prime motive was to provide it to those members who use riskier shared network mediums such as public WiFi. On analyzing metrics around CDN performance, page performance times of SSL vs non-SSL, and overall load balancer SSL capacity, they’ll be soon moving towards defaulting to full site SSL for all members and visitors.