Enable Two Factor Authentication / Multi Factor Authentication (MFA)

This process might seem complicated if you're not very familiar with it, but it doesn't need to be. It is typically something you set up once, and then forget about - other than entering a second single-use passcode (TOTP) when you log in.

Multi-factor authentication is widely regarded as the single best thing you can do to protect an account from unauthorized use. According to Microsoft1), MFA can block over 99.9 percent of account compromise attacks.

Two-factor auth makes it harder to log in, and that's the point. It's a minor inconvenience for you, but a barrier to anyone who might somehow acquire (or guess) your username and password. A password is one authentication factor, but requiring more than one authentication factor improves the security of your account.

Authentication factors are typically:

  • Something you know (e.g. a password)
  • Something you have (e.g. a TOTP code generator or USB hardware security key)
  • Something you are (e.g. the owner of a particular fingerprint or iris scan2)

A TOTP code is a time-based one-time password. As the name implies, it can only be used once. It is generated by an app (typically on your phone) which knows a secret generated during the 2FA setup process. They are typically (but not always) a 6 digit number which regenerates every 15-30 seconds.

These two terms are typically used interchangeably; the term MFA may be more widely applicable, since it doesn't restrict the number of required factors to 2. Mastodon uses the term two-factor auth (2FA).

To enable two-factor authentication, use the infosec.exchange web interface:

  1. In the menu, click Preferences > Account > Two-factor Auth
  2. The next screen advises: “If you enable two-factor authentication using an authenticator app, logging in will require you to be in possession of your phone, which will generate tokens for you to enter.”
  3. Click SET UP to continue
  4. The following screen advises: “Scan this QR code into Google Authenticator or a similar TOTP app on your phone. From now on, that app will generate tokens that you will have to enter when logging in.”
  5. Using Google Authenticator or a similar suitable app, scan the QR code to add the secret to your Authenticator app.
    • A number of suitable alternatives to Google Authenticator exist, including Microsoft Authenticator. Various password management platforms also offer TOTP secret management.
    • If you don't have any suitable app on your phone, be sure to download the correct official app only. Don't install security apps from untrusted sources.
    • If you are using an iPhone, you can open the regular camera app and show it the QR code, then tap the Add Verification Code in Passwords to use the built-in password manager.
    • If your secrets manager doesn't have a camera (e.g. you're using CLI secrets manager3)) or you can't/don't want to use the camera, you can also enter the plaintext secret.
  6. Once the account appears in Google Authenticator (or similar app you are using) you must now enter a TOTP code into the Two-factor code dialog below, and then hit ENABLE. This will confirm to infosec.exchange that you are in possession of a correctly-configured TOTP generator which was seeded with the secret generated during this setup process.
  7. You should now see a message telling you: “Two-factor authentication successfully enabled” which is good news! However, there is one final and very important step: recording your recovery codes! These are your backup plan for if you lose your phone (or however you are generating the TOTP codes). Record them in a safe location. Different people will argue about/give different advice for what this safe place should be, but typically you will hear one of the following options; pick the one which makes most sense to you:
    • record the backup codes on pen and paper and keep that paper secure.
    • Record the values in your password manager.

Congratulations! You now have 2FA active on your infosec.exchange account. As the setup process warned, you will need a TOTP code each time you log in… but that's the point!

infosec.exchange does not currently offer iris scans for authentication.
If you're using a CLI secrets manager, you probably don't need this wiki page.