Two-Factor Authentication (2FA)
-
MHAA & Website
-
Events
-
Telescopes & Binoculars
-
Astrophotography & EAA
-
-
- Articles coming soon
-
- Articles coming soon
-
- Articles coming soon
-
-
- Articles coming soon
What is 2FA?
Two-factor authentication (2FA) or Multi-factor authentication (MFA) requires a user to successfully present two or more pieces of evidence (or factors) in order to login. Your password counts as one; knowledge (something only the user knows). The second, when talking about websites, is often proof through possession (something only the user has), but in some cases it can also be through inherence (something only the user is).
How do I enable 2FA?
- Login
- Go to the 2FA configuration page, or click the Two-Factor Authentication link on your account page
- Click the Configure 2FA button
- Select if you want to use an authenticator app to generate the 2FA codes you'll enter at login or if you want to be emailed the 2FA code each time you login.
Note: There can be a several minute delay to receive the email if you choose the latter. - Follow the on screen instructions
- Be sure to generate a list of backup codes at the end. It is suggested to print and store them in a safe place in case you ever lose access to the method you selected to receive your 2FA codes.
See I lost access to my authenticator app/email account. How do I use the backup codes to login?
Do I need it?
That's a personal choice; it is only mandatory for our site admins and MHAA officer accounts, but it is strongly suggested for all members. It's a simple way to significantly increase the level of security on your account.
How does it work?
When you enable 2fa in your MHAA account, we create and associate a unique key with your user ID. When you login, the key is used to generate a time-specific and time-sensitive number that you need to provide in addition to your user ID and password when you login. It's like a second password, except that it's continually changing every 30 seconds or so and only assets in your possession should be able to generate the matching number.
If it's always changing, how do I know the number?
When you enable 2fa you will be presented with a QR code and a string of alphanumeric characters, either of which can be used to add your MHAA 2FA key to an authenticator app on your phone or other device. The authenticator app uses that key and current time to generate the number just like the websites do.
Which authenticator app should I use?
Be sure to use a reputable 2fa authenticator app. There are many out there, but consider searching your device's app store for one of the following that support adding 2FA keys for accessing any website, not just their own services:
LastPass Authenticator
Microsoft Authenticator
Google Authenticator
Can I disable 2FA?
Yes, simply:
- Login and go to the 2FA configuration page, or click the Two-Factor Authentication link on your account page
- Click the Remove 2FA button
What if I don't have/want an authenticator app?
When initially configuring 2FA, you can choose to have the codes emailed to you each time you are about to login, instead of using an authenticator app. Note that it can take a few minutes for the email with the code to arrive.
I want to switch from using an authenticator app to getting my codes via email or vice versa.
Go to the Two-Factor Authentication page and click the Change 2FA Settings button. Then click the Change email address button to reconfigure 2FA to use email instead of the app, or click the Reset Key button to setup an authenticator app.
Can I view my 2FA key? How do I reset it?
As a matter of security, your 2FA key is not viewable after the initial setup is complete. As a result, you may need to reset your 2FA key if:
- you need to setup your authenticator app again for any reason
- you are changing devices
- you are changing authenticator apps
- you want to add the key to additional authenticator apps
- you suspect your current key was compromised
Note that you cannot have multiple 2FA keys attached to your account, so resetting the key invalidates any authenticator app that you don't update with the new key.
To reset your key, simply:
- Login and go to the 2FA configuration page, or click the Two-Factor Authentication link on your account page
- Click the Reset key button
Can I setup multiple authenticator apps to use the same 2FA key so they all generate the same 2FA codes?
You can, but this has to be done while you have the key or QR code of the key in front of you and before you complete the 2FA setup. If needed, you can reset the key to start over (see the section immediately above this one).
When initially configuring 2FA or after resetting the key, add the key to each authenticator app before entering the code in the 2FA process to confirm that your authenticator is generating the codes correctly. You will only enter the code once, but it should be obvious if each of your authenticators are displaying the same code at the same time that the others are setup correctly.
I lost access to my authenticator app/email account, how do I use the backup codes to login?
After submitting your user ID and password you will be prompted for the 2FA code as usual. Click the Use backup code link below the field where you would normally enter the 2FA code. This will open a new prompt for a backup code. You may use any of the backup codes to login, but each of the 10 codes in the list can only be used one time.
It is suggested that you cross each code off on your printed copy of the list after it is used and that you generate a new list of codes if you ever find yourself with only a few unused backup codes left. If you run out of backup codes AND lose access to your method of getting the 2FA codes (the app or your email, as configured) you will be completely locked out of your account.
I have no way to generate the 2FA number and I don't have my backup codes, how can I login?
If all else fails, contact the MHAA webmaster or an MHAA officer through Slack or in person to request that we reset your 2FA configuration. This can only be done by the webmaster, but an officer can pass it along.
Note that the "Lost password" function on the login page will only send you a new temporary password; it will not disable 2FA on your account. This is on purpose so that someone who hacks your email account cannot simply take over your MHAA account by resetting the password.