Single post in Two-Factor Authentication
Forum Index > Core > Announcements > News Archive > Two-Factor Authentication >
![Niet [Adam]'s Avatar](https://pokefarm.com/upload/:J/avatar/Niet_Icon150.png)
As promised, I looked into it. Now we have it.
Update at end of post! What is Two-Factor Authentication (2FA)? When it comes to securing things - where "things" can range from an account all the way up to nuclear launch codes - there are three possible "factors" of authentication. - "Something you know", most commonly a password. - "Something you are", typically biometrics, although this can sometimes include your physical location for example in IP-based tracking. - "Something you have", such as a physical key. One factor is good. Two is better. Three is probably overkill but necessary for super important things. But the key thing to remember is that repeating the same factor doesn't increase security. There were some suggestions of "log in using your email address instead of your username", or even having a "login name". These are just more "things you know" and don't add any security. A real-world example of two-factor authentication would be using your bank card at an ATM. You insert your card (something you have) and type in your PIN (something you know) to get access to your account. How is it implemented on PFQ? Today I am adding a new page for handling two-factor authentication. You can use this page to pair your account to your smartphone using any Authenticator app. Desktop versions exist too. It doesn't matter which app you use - Google Authenticator, Authy, WinAuth and many more. Pick one you trust. PFQ will provide a QR code for easy scanning, or you can directly copy-paste the "secret key" into your app of choice. IMPORTANT: Do NOT save this secret key ANYWHERE other than the authenticator app. Once scanned, the app will start providing you with 6-digit codes, which change every 30 seconds. Enter the code into the form to confirm the pairing and enable 2FA. After enabling 2FA, the way you log in will change. In addition to username and password, you will also need to open the authenticator app and enter the code it gives you. This proves you have the device you paired, which is the "something you have" that makes this 2FA work. Work in progress! As of this post, the feature is mostly done but not completely. You can enable 2FA and use it to secure your account today, but the "emergency backup account recovery" option is not yet implemented. You also can't yet disable 2FA once enabled. This means that if you lose your smartphone, or can't get the 2FA codes for some other reason, you won't be able to log in to PFQ. If this happens, you can contact Support and we'll help you regain access. I will be working on the part of the feature that lets you recover the account yourself, but for now it's off to the Support Centre with you! Will this be required? No. 2FA is an extra layer of security that is completely optional. It is, however, strongly recommended - especially if you have spent money here. This post will probably get updated with more questions later. For now, if you want 2FA, you can have 2FA!
Update 13/Aug: Emergency Backup Code is now available. Head over to the 2FA page to set one up. This will allow you to log in even should you lose access to your 2FA codes. Keep this code safe and hidden. Also you can disable 2FA from the 2FA page just by using your 2FA paired device. Still to do: when important actions are taken on the 2FA page, such as setting it up or - more importantly - disabling it, an email needs to be sent to the user so that you know it's happened, just in case it wasn't actually you! That'll get done soon.
Update at end of post! What is Two-Factor Authentication (2FA)? When it comes to securing things - where "things" can range from an account all the way up to nuclear launch codes - there are three possible "factors" of authentication. - "Something you know", most commonly a password. - "Something you are", typically biometrics, although this can sometimes include your physical location for example in IP-based tracking. - "Something you have", such as a physical key. One factor is good. Two is better. Three is probably overkill but necessary for super important things. But the key thing to remember is that repeating the same factor doesn't increase security. There were some suggestions of "log in using your email address instead of your username", or even having a "login name". These are just more "things you know" and don't add any security. A real-world example of two-factor authentication would be using your bank card at an ATM. You insert your card (something you have) and type in your PIN (something you know) to get access to your account. How is it implemented on PFQ? Today I am adding a new page for handling two-factor authentication. You can use this page to pair your account to your smartphone using any Authenticator app. Desktop versions exist too. It doesn't matter which app you use - Google Authenticator, Authy, WinAuth and many more. Pick one you trust. PFQ will provide a QR code for easy scanning, or you can directly copy-paste the "secret key" into your app of choice. IMPORTANT: Do NOT save this secret key ANYWHERE other than the authenticator app. Once scanned, the app will start providing you with 6-digit codes, which change every 30 seconds. Enter the code into the form to confirm the pairing and enable 2FA. After enabling 2FA, the way you log in will change. In addition to username and password, you will also need to open the authenticator app and enter the code it gives you. This proves you have the device you paired, which is the "something you have" that makes this 2FA work. Work in progress! As of this post, the feature is mostly done but not completely. You can enable 2FA and use it to secure your account today, but the "emergency backup account recovery" option is not yet implemented. You also can't yet disable 2FA once enabled. This means that if you lose your smartphone, or can't get the 2FA codes for some other reason, you won't be able to log in to PFQ. If this happens, you can contact Support and we'll help you regain access. I will be working on the part of the feature that lets you recover the account yourself, but for now it's off to the Support Centre with you! Will this be required? No. 2FA is an extra layer of security that is completely optional. It is, however, strongly recommended - especially if you have spent money here. This post will probably get updated with more questions later. For now, if you want 2FA, you can have 2FA!
Update 13/Aug: Emergency Backup Code is now available. Head over to the 2FA page to set one up. This will allow you to log in even should you lose access to your 2FA codes. Keep this code safe and hidden. Also you can disable 2FA from the 2FA page just by using your 2FA paired device. Still to do: when important actions are taken on the 2FA page, such as setting it up or - more importantly - disabling it, an email needs to be sent to the user so that you know it's happened, just in case it wasn't actually you! That'll get done soon.
Clip from Pokémon anime, re-lined by me
-- OMNOMNOM!Featured story:
Injustice
Feedback welcome!
