Two-step verification (2FA)

What happens with two-step verification?

Two-step verification is a more secure way to control access to your account. Instead of a code emailed to you, or only entering a password, it requires that you use a password and an external device or code to log in.

Typically, people use either an app on their phone to generate a code, or a security key which plugs into your USB port. Even if an attacker knows your password, they still can't get into your account.

Note: Emailed codes for login can't be used with two-step verification.

How to set up two-step verification

The two-step verification settings are on the Password & Security screen.

First, you must have a password set before enabling two-step verification (also known as two-factor authentication or 2FA). The password is the first of the two steps in "two-step verification".

Then you can access the Set Up Two-Step Verification button and select which kind of verification device you're adding to your account. The verification devices is the second of the two steps.

Authenticator app

  1. Once you've installed the authenticator app on your phone or tablet, select to add a new account.
  2. Use your device's camera to scan the QR code on the screen. (Or manually type in the key on the screen into the authenticator app.). If you're setting up an OTP device, select "Set a custom key" and enter the key that came with your device.
  3. Enter the 6-digit code the app gives you into the Topicbox web interface.
  4. Name this device so you can keep track of your verification devices and remove them if needed in the future.

U2F or YubiKey OTP

  1. Insert the device into the USB port on your computer.
  2. Touch the button on the device once it lights up.
  3. Name this device so you can keep track of your verification devices and remove them if needed in the future.

Using U2F on Firefox

Mozilla Firefox supports U2F from Firefox 57 onwards, but it is not enabled by default. If you wish to enable it, enter about:config into the address bar. Search for security.webauth.u2f in the list, and double click it to change the option to True. 

Authenticator apps

Not sure which authenticator app to use? We recommend:

Note: Neither the Google Authenticator app nor our server implementation is specific to Google in any way, nor does it ever communicate with Google systems as part of its operation (or with any other system for that matter). "Google Authenticator" is the name of Google's TOTP app, which has become synonymous with the authentication method itself. 

Disabling two-step verification

On the Password & Security screen, remove all verification devices to switch off two-step verification. You can now log in via a code emailed to you, or via your password.

Recovery Codes

You still want to be able to get into your account when you don't have your verification device with you, or if you've lost your verification device. Recovery codes allow you to recover your account in this situation.

Recovery codes can act as your second step. They are a code you can use once in the place of your verification device.

Once you have set up two-step verification, you can get a set of ten recovery codes. Save them somewhere safe. Recovery codes can't be used as a password, and they are only valid if you have already set up at least one other verification device.

A set of recovery codes can be removed from use if they are compromised, or you've lost the list.

Why should I use two-step verification?

In an ideal world, all passwords would be a secret, known only to yourself. But the more a password is used, the more exposed it becomes to malicious attackers. They might try to steal it (through phishing or malware/spyware), or guess it (through brute force repeated dictionary attacks).
The point of two-step verification is that if someone does manage to steal your password, they still can't use it to log into your account without your verification device. Your two-step verification keeps your password safe.
It's important to keep your Topicbox account secure: if someone breaks into your account, they can change your email address and then use it to send out spam or phishing mail to all the groups you are a member of.




Was this article helpful?
6 out of 7 found this helpful