Enable Two Factor Authentication / Multi Factor Authentication (MFA)
This process might seem complicated if you're not very familiar with it, but it doesn't need to be. It is typically something you set up once, and then forget about - other than entering a second single-use passcode (TOTP) when you log in.
Multi-factor authentication is widely regarded as the single best thing you can do to protect an account from unauthorized use. According to Microsoft1), MFA can block over 99.9 percent of account compromise attacks.
Why enable 2FA?
Two-factor auth makes it harder to log in, and that's the point. It's a minor inconvenience for you, but a barrier to anyone who might somehow acquire (or guess) your username and password. A password is one authentication factor, but requiring more than one authentication factor improves the security of your account.
What's an authentication factor?
Authentication factors are typically:
What's a TOTP code?
A TOTP code is a time-based one-time password. As the name implies, it can only be used once. It is generated by an app (typically on your phone) which knows a secret generated during the 2FA setup process. They are typically (but not always) a 6 digit number which regenerates every 15-30 seconds.
What's the difference between two-factor auth and multi-factor auth?
These two terms are typically used interchangeably; the term MFA may be more widely applicable, since it doesn't restrict the number of required factors to 2. Mastodon uses the term two-factor auth (2FA).
How to enable two-factor auth on your infosec.exchange account
To enable two-factor authentication, use the infosec.exchange web interface:
In the menu, click Preferences
> Account
> Two-factor Auth
The next screen advises: “If you enable two-factor authentication using an authenticator app, logging in will require you to be in possession of your phone, which will generate tokens for you to enter.”
Click SET UP
to continue
The following screen advises: “Scan this QR code into Google Authenticator or a similar TOTP app on your phone. From now on, that app will generate tokens that you will have to enter when logging in.”
Using Google Authenticator or a similar suitable app, scan the QR code to add the secret to your Authenticator app.
A number of suitable alternatives to Google Authenticator exist, including Microsoft Authenticator. Various password management platforms also offer TOTP secret management.
If you don't have any suitable app on your phone, be sure to download the correct official app only. Don't install security apps from untrusted sources.
If you are using an iPhone, you can open the regular camera app and show it the QR code, then tap the Add Verification Code in Passwords
to use the built-in password manager.
If your secrets manager doesn't have a camera (e.g. you're using CLI secrets manager
3)) or you can't/don't want to use the camera, you can also enter the plaintext secret.
Once the account appears in Google Authenticator (or similar app you are using) you must now enter a TOTP code into the Two-factor code dialog below, and then hit ENABLE
. This will confirm to infosec.exchange that you are in possession of a correctly-configured TOTP generator which was seeded with the secret generated during this setup process.
You should now see a message telling you: “Two-factor authentication successfully enabled” which is good news! However, there is one final and very important step: recording your recovery codes! These are your backup plan for if you lose your phone (or however you are generating the TOTP codes). Record them in a safe location. Different people will argue about/give different advice for what this safe place should be, but typically you will hear one of the following options; pick the one which makes most sense to you:
Congratulations! You now have 2FA active on your infosec.exchange account. As the setup process warned, you will need a TOTP code each time you log in… but that's the point!