This is an old revision of the document!
Enable Two Factor Authentication / Multi Factor Authentication (MFA)
Why enable 2FA?
Two-factor auth makes it harder to log in, and that's the point. It's a minor inconvenience for you, but a barrier to anyone who might somehow acquire (or guess) your username and password. A password is one authentication factor, but requiring more than one authentication factor improves the security of your account. A second (or multiple) authentication factor
What's an authentication factor?
Authentication factors are typically:
- Something you know (e.g. a password)
- Something you have (e.g. a TOTP code generator or USB hardware security key)
- Something you are (e.g. the owner of a particular fingerprint or iris scan1)
What's a TOTP code?
A TOTP code is a time-based one-time password. As the name implies, it can only be used once. It is generated by an app (typically on your phone) which knows a secret generated during the 2FA setup process. They are typically (but not always) a 6 digit number which regenerates every 15-30 seconds.
What's the difference between two-factor auth and multi-factor auth?
These two terms are typically used interchangeably; the term MFA may be more widely applicable, since it doesn't restrict the number of required factors to 2. Mastodon uses the term two-factor auth (2FA).
How to enable two-factor auth on your infosec.exchange account
To enable two-factor authentication, use the infosec.exchange web interface:
- In the menu, click
Preferences
>Account
>Two-factor Auth
- The next screen advises: “If you enable two-factor authentication using an authenticator app, logging in will require you to be in possession of your phone, which will generate tokens for you to enter.”
- Click
SET UP
to continue - The following screen advises: “Scan this QR code into Google Authenticator or a similar TOTP app on your phone. From now on, that app will generate tokens that you will have to enter when logging in.”
- Using Google Authenticator or a similar suitable app, scan the QR code to add the secret to your Authenticator app.
- A number of suitable alternatives to Google Authenticator exist, including Microsoft Authenticator. Various password management platforms also offer TOTP secret management.
- If you don't have any suitable app on your phone, be sure to download the correct official app only. Don't install security apps from untrusted sources.
- If you are using an iPhone, you can open the regular camera app and show it the QR code, then tap the
Add Verification Code in Passwords
to use the built-in password manager. - If your secrets manager doesn't have a camera (e.g. you're using CLI secrets manager2)) or you can't/don't want to use the camera, you can also enter the plaintext secret.
- Once the account appears in Google Authenticator (or similar app you are using) you must now enter a TOTP code into the Two-factor code dialog below, and then hit
ENABLE
. This will confirm to infosec.exchange that you are in possession of a correctly-configured TOTP generator which was seeded with the secret generated during this setup process. - You should now see a message telling you: “Two-factor authentication successfully enabled” which is good news! However, there is one final and very important step: recording your recovery codes! These are your backup plan for if you lose your phone (or however you are generating the TOTP codes). Record them in a safe location. Different people will argue about/give different advice for what this safe place should be, but typically you will hear one of the following options; pick the one which makes most sense to you:
- record the backup codes on pen and paper and keep that paper secure.
- Record the values in your password manager.
Congratulations! You now have 2FA active on your infosec.exchange account. As the setup process warned, you will need a TOTP code each time you log in… but that's the point!