Using Two-factor authentication


Did you know you can use two-factor authentication to enhance the security of your DevZone account? 
In this little blog, I’ll show you how to enable Two-Factor Authentication (2FA) with your DevZone account.

What is it?

In general, Multi-Factor Authentication grants access only after presenting 2 or more pieces of evidence – “factors”. Typically:

  • The knowledge factor: Something only you know
  • The possession factor: Something only you have

Common example: Money withdrawal from an ATM requires your card (possession factor, CHECK!) and your PIN code (Knowledge factor, CHECK!).

In our case, using Google 2-step verification, the factors are:

  • Your password (which you know)
  • The verification code, generated by an app on your phone (which you must have)

In regular authentication schemes, only one factor is used: The knowledge factor where you are asked to present a username and a password.
While secure enough for many purposes, this means: Anyone who knows the right credentials, may be granted access. 

2FA takes it up one notch by adding the possession factor: It's not enough to know something - you've also got to have something.

In this case, your cell phone! 
With some sites you can also have single-use security codes sent as text messages to your phone. Some will send you a PDF file with single-use codes. 
These are nice for backup; but for regular use I recommend installing and using the Google Authenticator app. See the step-by-step guide below.

 

Why do it?

Using 2FA will actually make your login process more tedious. Why would you want that?
Well, it’s just that extra level of security.

If your password is compromised by someone, they’ll still need your security key to get into your account.
So, even if someone snoops your email and password somehow, they still need your cellphone -powered, online and unlocked - to produce the right authentication code.

So, while you should always be careful about logging in on public computers, never write down your passwords, never send them by email to anyone (even yourself) or store it somewhere; all those bad habits are actually compensated when using 2FA. But still: Bad, bad habits, they are!

Besides: It’s actually just a tiny fraction more tedious.



How to get started with 2FA on the Nordic DevZone

You'll be installing and authenticating the Google Authenticator app to work with your DevZone account.
The app generates new verification codes on your mobile phone every minute. When asked for a second factor on DevZone in the future, you'll type the current code generated by the authenticator app.

Get started:

  1. Download and Install the Google Authenticator app on your mobile phone
    1. Available for iPhone (AppStore) and Android (Play.Google.com).
  2. Log into your DevZone account
  3. Perform the following steps when logged in to the DevZone:
    1. Goto “settings” under your avatar menu and
    2. Scroll way down to the bottom and finally,
    3. Click “Activate” under Two Factor Authentication
  4. A QR code appears. You are going to use this to connect your authenticated DevZone account to the Google Authenticator app that you just installed.
    This way, your cellphone becomes the "second factor".
    1. Take out your cellphone, open the Google Authenticator app and click the ‘+’ sign to add the DevZone as a new site.
    2. The app opens your camera.
    3. Take a snap of the on-screen QR code to register the site.
      1. If your camera for some reason doesn't work, there's also a manual code shown on your mobile screen.
        You can insert this into the "Manual code" dialog box in the DevZone.
        Note: This is not the same as the 6-digit code mentioned below; it's a much longer substitute for the QR code.

 

  1. The site ("Nordic DevZone") now automatically shows up in the list on your mobile screen, alongside other sites you have authenticated.
    1. A 6-digit verification code is generated from the QR snap taken by your phone.
    2. Enter this code into the text box labeled “Verify code” and click “verify and enable”.
  2. On your mobile screen, you can now see the list of 6-digit verification codes for each site you have registered, and the timeout indicators.
    Note that:
    1. Codes are changed every minute
    2. (You may need to sync your phone to keep up with the code changes. This is found under ‘settings’ in the Authenticator app.)

 

Logging into the DevZone

When you have enabled 2FA, logging into the DevZone looks like this:

  1. Click the avatar in the top right corner to open the “sign in” page:



  2. Enter your email address and password, and click “Sign in”
  3. New: The two-factor authentication screen appears.
    1. Enter your 6-digit verification code from the Google Authenticator app and click “Submit code”:



    2. NB! Watch the countdown indicator in the app so you don’t start typing a code that’s about to change in 2 seconds…
  4. Go write a brilliant question to our tech support engineers and your fellow developers.

 

I'm getting a new phone (important note!)

Note that the DevZone has now only been authenticated with the current instance of the Google Authenticator app that currenty resides on your cell phone.
If you're getting a new phone, remember to disable 2FA in your DevZone account first.... Otherwise, we'll have to disable 2FA for you, until we have a single-use code scheme in place ;-)

Hope this helps.
Feel free to post questions below!

Cheers;
Eivind

 

Anonymous