Using Two-factor authentication


Did you know you can use two-factor authentication to enhance the security of your DevZone account? 
In this little blog, I’ll show you how to enable Two-Factor Authentication (2FA) with your DevZone account.

What is it?

In general, Multi-Factor Authentication grants access only after presenting 2 or more pieces of evidence – “factors”.
Typically something only you know + something only you have.

Common example: Money withdrawal from an ATM requires your card (possession factor, CHECK!) and your PIN code (Knowledge factor, CHECK!).

In our case, using Google 2-step verification, the factors are:

  • Your password, which only you know (!)
  • The verification code, generated by an app on your phone - which only you have access to.

In regular authentication schemes, only one factor is used: The knowledge factor where you are asked to present a username and a password. Even if this is two pieces of information, they both represent the same type of factor: Knowledge. While secure enough for many purposes, this means that anyone who knows the right credentials may be granted access. 

2FA cranks it up one notch by adding the possession factor: It's not enough to know something - you've also got to have a physical object.
In this case, your cell phone! 

With some sites you can also have single-use security codes sent as text messages to your phone. Some will send you a PDF file with single-use codes. 
These are nice for backup; and we do have them too - see the final paragraph. But for regular use I recommend installing and using the Google Authenticator app.
We'll take you through the steps below.

 

Why do it?

Using 2FA will actually make your login process more tedious. Why would you want that?
Well, it’s just that extra level of security.

If your password is compromised by someone, they’ll still need your security key to get into your account.
So, even if someone snoops your email and password somehow, they still need access to your cellphone - powered, online and unlocked - to produce the right authentication code.

So, while you should always be careful about logging in on public computers, never write down your passwords, never send them by email to anyone (even yourself) or store it somewhere; all those bad habits are actually compensated when using 2FA. But still: Bad, bad habits, they are!

Besides: It’s actually just a tiny fraction more tedious.



How to get started with 2FA on the Nordic DevZone

You'll be installing and authenticating the Google Authenticator app to work with your DevZone account.
The app generates new verification codes on your mobile phone every minute. When asked for a second factor on DevZone in the future, you'll type the current code generated by the authenticator app.

Installing Google authenticator and adding the DevZone

  1. Download and Install the Google Authenticator app on your mobile phone
    1. Available for iPhone (AppStore) and Android (Play.Google.com).

  2. Log into your DevZone account
  3. Perform the following steps when logged in to the DevZone:
    1. Goto “settings” under your avatar menu and
    2. Scroll way down to the bottom and finally,
    3. Click “Activate” under Two Factor Authentication

  4. A QR code appears. You are going to use this to connect your authenticated DevZone account to the Google Authenticator app on your phone.
    1. Open the Google Authenticator app and click the ‘+’ sign to add the DevZone as a new site.
    2. The app opens your camera.
    3. Take a snap of the on-screen QR code to register the site.
      1. If your camera for some reason doesn't work, there's also a manual code shown on your mobile screen.
        You can insert this into the "Manual code" dialog box in the DevZone.
        Note: This is not the same as the 6-digit code mentioned below; it's a much longer substitute for the QR code.

 

  1. The site ("Nordic DevZone") now automatically shows up in the list on your mobile screen, alongside other sites you have authenticated.
    1. A 6-digit verification code is generated from the QR snap taken by your phone.
    2. Enter this code into the text box labeled “Verify code” and click “verify and enable”.

  2. On your mobile screen, you can now see the list of 6-digit verification codes for each site you have registered, and the timeout indicators.
    Note that:
    1. Codes are changed every minute
    2. (You may need to sync your phone to keep up with the code changes. This is found under ‘settings’ in the Authenticator app.)

 

Logging into the DevZone

When you have enabled 2FA, logging into the DevZone looks like this:

  1. Click the avatar in the top right corner to open the “sign in” page:



  2. Enter your email address and password, and click “Sign in”
  3. New: The two-factor authentication screen appears.
    1. Enter your 6-digit verification code from the Google Authenticator app and click “Submit code”:



    2. NB! Watch the countdown indicator in the app so you don’t start typing a code that’s about to change in 2 seconds…
  4. Go write a brilliant question to our tech support engineers and your fellow developers.

 

What if I'm getting a new smart phone?

Important:
Note that the DevZone has now only been authenticated with the current instance of the Google Authenticator app that currenty resides on your device / smart phone.
If you're getting a new phone, you must remember to:

  1. Either disable 2FA in your DevZone account first, and re-enable it once settled on your new smart phone, or
  2. Make sure you get some single-use codes. You can do this under your settings page:

Hope this helps!
Feel free to post questions below.

Cheers;
Eivind