====== Enable Two Factor Authentication / Multi Factor Authentication (MFA) ======
<div tip>This process might seem complicated if you're not very familiar with it, but it doesn't need to be. It is typically something you set up once, and then forget about - other than entering a second single-use passcode (TOTP) when you log in.

Multi-factor authentication is widely regarded as the single best thing you can do to protect an account from unauthorized use. According to Microsoft(([[https://www.microsoft.com/en-us/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/|One simple action you can take to prevent 99.9 percent of attacks on your accounts (Microsoft)]])), MFA can block over 99.9 percent of account compromise attacks.</div>

===== Why enable 2FA? =====
Two-factor auth makes it harder to log in, and that's the point. It's a minor inconvenience for you, but a barrier to anyone who might somehow acquire (or guess) your username and password. A password is one authentication factor, but requiring more than one authentication factor improves the security of your account.
===== What's an authentication factor? =====
Authentication factors are typically:
  * Something you know (e.g. a password)
  * Something you have (e.g. a TOTP code generator or USB hardware security key)
  * Something you are (e.g. the owner of a particular fingerprint or iris scan((infosec.exchange does not currently offer iris scans for authentication.))

===== What's a TOTP code? =====
A TOTP code is a [[https://en.wikipedia.org/wiki/Time-based_one-time_password|time-based one-time password]]. As the name implies, it can only be used once. It is generated by an app (typically on your phone) which knows a secret generated during the 2FA setup process. They are typically (but not always) a 6 digit number which regenerates every 15-30 seconds.

===== What's the difference between two-factor auth and multi-factor auth? =====
These two terms are typically used interchangeably; the term MFA may be more widely applicable, since it doesn't restrict the number of required factors to 2. Mastodon uses the term two-factor auth (2FA).

===== How to enable two-factor auth on your infosec.exchange account =====
To enable two-factor authentication, use the infosec.exchange web interface:
  - In the menu, click ''Preferences'' > ''Account'' > ''Two-factor Auth''
  - The next screen advises: "If you enable two-factor authentication using an authenticator app, logging in will require you to be in possession of your phone, which will generate tokens for you to enter."
  - Click ''SET UP'' to continue
  - The following screen advises: "Scan this QR code into Google Authenticator or a similar TOTP app on your phone. From now on, that app will generate tokens that you will have to enter when logging in."
  - Using Google Authenticator or a similar suitable app, scan the QR code to add the secret to your Authenticator app.
    * A number of suitable alternatives to Google Authenticator exist, including Microsoft Authenticator. Various password management platforms also offer TOTP secret management.
    * If you don't have any suitable app on your phone, be sure to download the correct official app only. Don't install security apps from untrusted sources.
    * If you are using an iPhone, you can open the regular camera app and show it the QR code, then tap the ''Add Verification Code in Passwords'' to use the built-in password manager.
    * If your secrets manager doesn't have a camera (e.g. you're using CLI secrets manager((If you're using a CLI secrets manager, you probably don't need this wiki page.))) or you can't/don't want to use the camera, you can also enter the plaintext secret.
  - Once the account appears in Google Authenticator (or similar app you are using) you must now enter a TOTP code into the Two-factor code dialog below, and then hit ''ENABLE''. This will confirm to infosec.exchange that you are in possession of a correctly-configured TOTP generator which was seeded with the secret generated during this setup process.
  - You should now see a message telling you: "Two-factor authentication successfully enabled" which is good news! However, there is one final and very important step: recording your recovery codes! These are your backup plan for if you lose your phone (or however you are generating the TOTP codes). Record them in a safe location. Different people will argue about/give different advice for what this safe place should be, but typically you will hear one of the following options; pick the one which makes most sense to you:
     * record the backup codes on pen and paper and keep that paper secure.
     * Record the values in your password manager.

Congratulations! You now have 2FA active on your infosec.exchange account. As the setup process warned, you will need a TOTP code each time you log in... but that's the point!