Multi-Factor Authentication

Table of Contents


DNSimple supports multi-factor authentication. We make this feature available for free to all user profiles, regardless of the subscription plan of any associated accounts.

Multi-factor Authentication (MFA) is a security measure that helps protect you from unwanted access to your account, and increases the security of your data. Once enabled, you’re prompted to provide a verification code or use a security key in addition to your username and password when you log in. Verification codes should be generated by an authenticator app and will be refreshed every 30 seconds.

Enabling multi-factor authentication

DNSimple supports MFA using the following methods as a second verification step:

  • Time-based one-time passwords
  • WebAuthn-compatible security keys

You can enable MFA from your user page, either by linking a one-time password authenticator application or a security key that’s compatible with WebAuthn to your user profile.

Make sure to install a one-time password authenticator application if you’ll be using one-time passwords for multi-factor authentication. You’ll need it to generate a verification code to complete the setup. Or, if you’ll be using a security key, have it ready to complete the security key registration.

When you enable MFA for your user profile, you’ll be logged out of all currently logged-in devices.

To enable multi-factor authentication with one-time password
  1. Log in to DNSimple with your user credentials.
  2. Go to your user page by selecting the link under your user menu.

    Settings menu

  3. Scroll down until you see the section. Click on .

    Enable multi-factor authentication with one-time password

  4. Scan the barcode using a one-time password authenticator app. You can also manually enter the secret code in your authenticator app. Just click on , and type the code into your authenticator.

    Multi-factor barcode

  5. Using the one-time password authenticator app, generate a verification code, enter the 6-digit verification code into the field, and press to confirm. If the verification code is correct, you’ll be redirected to the next step. Otherwise you’ll be asked to enter a new verification code.

  6. The setup process ends here if you have an alternative MFA method already set up; however, if this is the only multi-factor authentication method you have set up, a recovery code will be generated, and you’ll need to confirm the recovery code. Copy and store the recovery code in a safe place.

    Multi-factor recovery code

  7. Follow the instructions to complete the setup and activate multi-factor authentication via one-time password.

    Multi-factor recovery code

To enable multi-factor authentication with a security key
  1. Log in to DNSimple with your user credentials.
  2. Go to your user page by selecting the link under your user menu.

    Settings menu

  3. Scroll down until you see the section. Click on to connect a new security key to your user profile.

    Enable security key

  4. Enter a nickname to help you identify the security key you’re registering.

    Security key nickname

    If this is the first multi-factor authentication method you’re setting up, the screen will look slightly different, as-below, because a recovery code will be generated, and you’ll need to confirm it. Copy and store the recovery code in a safe place.

    Security key nickname with recovery code

  5. Click on the button — you’ll see this if you have an alternative multi-factor authentication method already set up. You should see a prompt to choose the type of security key you want to activate. The prompt will look different depending on your platform and browser. Select the security key type and activate it. That will complete the security key setup process.

    However, if this is the only multi-factor authentication method you have set up, you’ll see a button instead of . Click on to confirm the recovery code, then you can complete the security key setup process.

  6. Fill in the form with the recovery code, and click the button. You should see a prompt to choose the type of security key you want to activate. The prompt will look different depending on your platform and browser. Select the security key type and activate it.

    Multi-factor confirm recovery code

Some security key types, like Touch ID on Mac, may be tied to a browser. For example, to use Touch ID on both Chrome and Safari browsers, you may need to register a Touch ID security key in Chrome and also in Safari.

Disabling a multi-factor authentication method

You can remove a one-time password authenticator application or any security keys associated with your user profile. However, you must have at least one of them enabled at any given time.

To disable a one-time password authenticator application
  1. Log in to DNSimple with your user credentials.
  2. Go to your user page by selecting the link under your user menu.

    Settings menu

  3. Scroll down until you see the section. Click on the button next to the displayed Authenticator app configuration to go on to the confirmation page.

    Disable authenticator

  4. On the confirmation page, use the authenticator app to generate a new verification code, and enter your code. Click to confirm and disable multi-factor authentication via the authenticator application.

    Confirm disabling of authenticator

To disable a security key
  1. Log in to DNSimple with your user credentials.
  2. Go to your user page by selecting the link under your user menu.

    Settings menu

  3. Scroll down until you see the section. Click on the button next to the security key you would like to disable, to go on to the confirmation page.

    Disable security key

  4. On the confirmation page, click . You will be prompted to activate the same security key, to confirm its deletion as an MFA method.

    Confirm disabling of security key

Logging in with multi-factor authentication

When multi-factor protection is enabled, you must perform a second verification step each time you log in with your username and password. The second verification step can be done with an authentication method you have enabled, like one-time passwords or security keys.

Using a one-time password
  1. Log in to DNSimple with your username and password.

  2. If the credentials are correct, you’ll see a 2-Step Verification window which may look different depending on whether you also have a security key enabled.

    If you also have a security key enabled as an MFA method, it will be the default authentication method displayed. Click to switch to using a one-time password for the second verification step.

    Multi-factor authentication

    If you don’t have security keys enabled, you’ll see the following 2-Step Verification window immediately:

    Multi-factor authentication

  3. Use your one-time password authenticator app to generate a verification code, paste the verification code into the form, and submit to complete the 2-step login verification process.

The verification code automatically expires every 30 seconds. If the expiration is close to five seconds or less, you should wait for the next verification code to limit the possibility of an authentication failure.

Using a security key
  1. Log in to DNSimple with your username and password.

  2. If the credentials are correct, you’ll see a 2-Step Verification window.

    Multi-factor authentication

  3. Click on , select the type of security key you’ll be activating, and activate the security key.

Recovery code

When you enable your first MFA method, a recovery code is created as a safeguard. Use the recovery code to disable MFA when you can’t generate a one-time password with your authenticator app or activate your registered security key, or when you can’t disable an MFA method. For example, because you lost the security key or the device where the authenticator was installed.

The recovery code is the only way to recover access to your account if you can’t generate a one-time password with an authenticator app or activate a security key for completing the 2-step verification process. Store the recovery code in a safe, secure place. We cannot disable multi-factor authentication without this recovery code.

When you enter a valid recovery code, multi-factor protection will immediately be disabled. To keep your account protected, you’ll need to enable it again by connecting a one-time password authenticator application or security key to your user profile. A new recovery code will be generated for you then.

All security keys and any one-time password-based MFA methods configured will be removed when you use your recovery code to disable MFA.

Disabling multi-factor authentication during login using the recovery code
  1. Log in to DNSimple with your user credentials.

  2. On the 2-Step Verification page, click .

    screenshot: Use recovery code for MFA

  3. Enter the recovery code, and click .

    screenshot: Use recovery code disables MFA authentication

  4. If the recovery code is correct, MFA protection will immediately be disabled for the account.

You can also use your recovery code to disable MFA when you can’t remove a one-time password-based or security key-based MFA method.

Disabling multi-factor authentication to remove a one-time password or security key MFA method
  1. Log in to DNSimple with your user credentials.

  2. Follow the steps to remove a one-time password-based or security key-based MFA method.

  3. On the one-time password or security key removal confirmation page, click on the link.

    Disable recovery code

  4. Fill in the recovery code, and click on .

    Reset all MFA

  5. If the recovery code is correct, MFA protection will immediately be disabled for the account.

Recovery codes can be re-generated. When a recovery code is re-generated, you cannot use any previously-generated recovery codes to disable MFA.

Re-generating a recovery code
  1. Log in to DNSimple with your user credentials.

  2. Go to your user page by selecting the link under your user menu.

    Settings menu

  3. Scroll down until you see the section. Click on the button next to the existing recovery code.

    Regenerate recovery code

  4. You will see a new recovery code displayed. Store the new recovery code in a safe place, and click on to confirm the re-generation of your recovery code.

    Store recovery code

  5. Fill in the recovery code, and click on to complete the recovery code re-generation.

    Confirm recovery code

Multiple accounts

Multi-factor protection is attached to a user profile, not an account, just like your username and password credentials.

If an account has multiple users, each member must enable MFA separately. If your user profile has access to more than one account, you only need to enable MFA once.

One-time password authenticator applications

DNSimple’s one-time password-based MFA implementation is based on RFC6238, also known as time-based one-time password (TOTP). Any authenticator application compatible with this specification can be used to generate a DNSimple one-time password.

There are lots of time-based authenticator apps that generate one-time password verification codes. Here are some we recommend:

Security keys

DNSimple’s security key-based MFA implementation is based on the WebAuthn standard.

Both platform authenticators, e.g. Touch ID, and cross-platform authenticators, e.g. YubiKey, which are compatible with WebAuthn are supported.

Best Practices for Multi-Factor Authentication

To benefit from true MFA, you must keep your one-time password authenticator application or security key, and your primary user credentials separate. For example, if you use your mobile device as your one-time password authenticator, you shouldn’t have your primary user credentials on your mobile device.

If you decide to use your mobile device as both your security key or one-time password authenticator and device for accessing DNSimple, you still get the added benefit of a second verification step for log in should your credentials be compromised, but you won’t benefit from true MFA. It’s up to you to decide what level of security is important for you and your accounts.

Troubleshooting multi-factor authentication

Ensuring your phone’s date and time synchronized

One-time password verification codes are based on time, so the time on your phone has to be in-sync with the official time. Otherwise, your authenticator app will generate a mismatching code. If your phone’s time is out of sync, or if you’ve changed time zones, the best way to fix it is to change the time settings on your phone from “Manual” to “Automatic”.

Using a freshly-generated one-time password verification code

Sometimes, a one-time password verification code may not be accepted, despite entering it correctly. This usually happens when the original token was close to expiration.

The verification code automatically expires every 30 seconds. Most one-time password authenticator apps display a count-down with the remaining time before expiration.

screenshot: Display of countdown of 2fa code expiration

If the expiration is close to five seconds or less, you should wait for the next verification code to limit the possibility of an authentication failure caused by time differences or connection latency.