Multi-Factor Authentication

Table of Contents


DNSimple supports multi-factor authentication. We make this feature available for free to all user profiles, regardless of the subscription plan of any associated accounts.

Multi-factor authentication (MFA) is a multi-step security measure that helps prevent unwanted access to your account, and increases the security of your data. Once enabled, you’re prompted to provide a verification code or use a security key in addition to your username and password when you log in. Verification codes should be generated by an authenticator app and will be refreshed every 30 seconds.

Enabling multi-factor authentication

DNSimple supports MFA using the following methods as a second verification step:

Make sure to install a one-time password authenticator application if you’ll be using one-time passwords for multi-factor authentication. You’ll need it to generate a verification code to complete the setup. Or, if you’ll be using a security key, have it ready to complete the security key registration.

When you enable MFA for your user profile, you’ll be logged out of all currently logged-in devices.

To enable multi-factor authentication with one-time password
  1. Go to your user page by selecting User Settings at the top right of the screen. screenshot: user settings menu item

  2. In the 2-Step Verification card, click Add next to “Connect an authenticator app that generates verification codes”. Enable multi-factor authentication with one-time password

  3. Scan the barcode using a one-time password authenticator app. You can also manually enter the secret code by clicking Can’t scan the barcode? and typing the code into your authenticator. Multi-factor barcode

  4. Using the one-time password authenticator app, generate a verification code.

  5. Enter the 6-digit verification code into the field, and click Continue to confirm. If the verification code is correct, you’ll be redirected to the next step. Otherwise, you’ll be asked to enter a new verification code.

  6. The setup process ends here if you have an alternative MFA method already set up.

    If this is the only multi-factor authentication method you have set up, a recovery code will be generated, and you’ll need to confirm the recovery code. Copy and store the recovery code in a safe place.

    Multi-factor recovery code

  7. Follow the instructions to complete the setup and activate multi-factor authentication via one-time password. Multi-factor recovery code

To enable multi-factor authentication with a security key
  1. Go to your user page by selecting User Settings at the top right of the screen. screenshot: user settings menu item

  2. In the 2-Step Verification card, click Add next to “Connect a security key to your user” to connect a new security key to your user profile. Enable security key

  3. Enter a nickname to help you identify the security key you’re registering.

    Security key nickname If this is the first multi-factor authentication method you’re setting up, the screen (shown below) will look slightly different, because a recovery code will be generated, and you’ll need to confirm it. Copy and store the recovery code in a safe place.

    Security key nickname with recovery code

  4. Click Register Key — you’ll see this if you have an alternative multi-factor authentication method already set up. You should see a prompt to choose the type of security key you want to activate. The prompt will look different depending on your platform and browser. Select the security key type, and activate it to complete the security key setup process.

    However, if this is the only multi-factor authentication method you have set up, you’ll see a Continue button instead of Register Key. Click on Continue to confirm the recovery code, then you can complete the security key setup process.

  5. Fill in the form with the recovery code, and click Confirm recovery and register key. You should see a prompt to choose the type of security key you want to activate. The prompt will look different depending on your platform and browser. Select the security key type, and activate it. Multi-factor confirm recovery code

    Some security key types, like Touch ID on a Mac, may be tied to a browser. For example, to use Touch ID on both Chrome and Safari browsers, you may need to register a Touch ID security key in Chrome and also in Safari.

Disabling a multi-factor authentication method

You can remove a one-time password authenticator application or any security keys associated with your user profile. However, you must have at least one of them enabled at any given time.

To disable a one-time password authenticator application
  1. Go to your user page by selecting User Settings at the top right of the screen. screenshot: user settings menu item

  2. In the 2-Step Verification card, click Delete next to the displayed authenticator app configuration. This will take you to the confirmation page. Disable authenticator

  3. On the confirmation page, use the authenticator app to generate a new verification code, and enter your code. Click Disable Two-Factor authentication to confirm and disable multi-factor authentication via the authenticator application. Confirm disabling of authenticator

To disable a security key
  1. Go to your user page by selecting User Settings at the top right of the screen. screenshot: user settings menu item

  2. In the 2-Step Verification card, click Delete next to the security key you would like to disable. This will take you to the confirmation page. Disable security key

  3. On the confirmation page, click Confirm deletion. You will be prompted to activate the same security key to confirm its deletion as an MFA method. Confirm disabling of security key

Logging in with multi-factor authentication

When multi-factor protection is enabled, you must perform a second verification step each time you log in with your username and password. The second verification step can be done with an authentication method you have enabled, like one-time passwords or security keys.

Using a one-time password
  1. Log in to DNSimple with your username and password.

  2. If the credentials are correct, you’ll see a 2-Step Verification window. This may look different if you also have a security key enabled.

    If you have a security key enabled, it will be the default authentication method displayed. Click Use one-time password to switch to using a one-time password for the second verification step. Multi-factor authentication

    If you don’t have security keys enabled, you’ll see the following 2-Step Verification window immediately: Multi-factor authentication

  3. Use your one-time password authenticator app to generate a verification code, paste the verification code into the form, and submit it to complete the 2-step login verification process.

    The verification code automatically expires every 30 seconds. If the expiration is five seconds or less, wait for the next verification code to limit the possibility of an authentication failure.</div>

Using a security key
  1. Log in to DNSimple with your username and password.

  2. If the credentials are correct, you’ll see a 2-Step Verification window. Multi-factor authentication

  3. Click Log in, select the type of security key you’ll be activating, and activate the security key.

Recovery code

When you enable your first MFA method, a recovery code is created as a safeguard. You’ll need this recovery code to disable MFA if you can’t generate a one-time password with your authenticator app, activate your registered security key, or disable an MFA method. For example, because you lost the security key or the device where the authenticator was installed. Save this recovery code in a secure, memorable place.

The recovery code is the only way to recover access to your account if you can’t generate a one-time password with an authenticator app or activate a security key for completing the 2-step verification process. Store the recovery code in a secure place. We cannot disable multi-factor authentication without this recovery code.

When you enter a valid recovery code, multi-factor protection will immediately be disabled. To keep your account protected, you’ll need to enable it again by connecting a one-time password authenticator application or security key to your user profile. A new recovery code will be generated.

All security keys and any one-time password-based MFA methods configured will be removed when you use your recovery code to disable MFA.

Disabling multi-factor authentication during login using the recovery code
  1. Log in to DNSimple with your user credentials.

  2. On the 2-Step Verification page, click Use recovery code. screenshot: Use recovery code for MFA

  3. Enter the recovery code, and click Log in and disable all multi-factor authentications. screenshot: Use recovery code disables MFA authentication

  4. If the recovery code is correct, MFA protection will immediately be disabled for the account.

You can also use your recovery code to disable MFA when you can’t remove a one-time password-based or security key-based MFA method.

Disabling multi-factor authentication to remove a one-time password or security key MFA method
  1. Follow the steps to remove a one-time password-based or security key-based MFA method.

  2. On the one-time password or security key removal confirmation page, click the disable multi-factor authentication link. Disable recovery code

  3. Fill in the recovery code, and click Reset all multi-factor methods. Reset all MFA

  4. If the recovery code is correct, MFA protection will immediately be disabled for the account.

Recovery codes can be regenerated. When a recovery code is regenerated, you cannot use any previously-generated recovery codes to disable MFA.

Regenerating a recovery code
  1. Go to your user page by selecting User Settings at the top right of the screen. screenshot: user settings menu item

  2. In the 2-Step Verification card, click Re-generate next to the existing recovery code. Regenerate recovery code

  3. You will see a new recovery code displayed. Store the new recovery code in a safe place, and click Next to confirm the regeneration of your recovery code. Store recovery code

  4. Fill in the recovery code, and click Re-generate recovery code to complete the recovery code regeneration. Confirm recovery code

Multiple accounts

Multi-factor protection is attached to a user profile, not an account, just like your username and password credentials.

If an account has multiple users, each member must enable MFA separately. If your user profile has access to more than one account, you only need to enable MFA once.

One-time password authenticator applications

DNSimple’s one-time password-based MFA implementation is based on RFC6238, also known as time-based one-time password (TOTP). Any authenticator application compatible with this specification can be used to generate a DNSimple one-time password.

There are many time-based authenticator apps that generate one-time password verification codes. Here are some we recommend:

Security keys

DNSimple’s security key-based MFA implementation is based on the WebAuthn standard.

Both platform authenticators, e.g. Touch ID, and cross-platform authenticators, e.g. YubiKey, which are compatible with WebAuthn are supported.

Best practices for multi-factor authentication

To benefit from true MFA, you must keep your one-time password authenticator application or security key, and your primary user credentials separate. For example, if you use your mobile device as your one-time password authenticator, you shouldn’t have your primary user credentials on your mobile device.

If you decide to use your mobile device as both your security key or one-time password authenticator and device for accessing DNSimple, you still get the added benefit of a second verification step for login should your credentials be compromised, but you won’t benefit from true MFA. It’s up to you to decide what level of security is important for you and your accounts.

Troubleshooting multi-factor authentication

Ensuring your phone’s date and time are synchronized

One-time password verification codes are based on time, so the time on your phone has to be in sync with the official time. Otherwise, your authenticator app will generate a mismatched code. If your phone’s time is out of sync, or if you’ve changed time zones, the best way to fix it is to change the time settings on your phone from “Manual” to “Automatic”.

Using a newly-generated one-time password verification code

Sometimes a one-time password verification code may not be accepted, despite entering it correctly. This usually happens when the original token was close to expiration.

The verification code automatically expires every 30 seconds. Most one-time password authenticator apps display a countdown to expiration.

screenshot: Display of countdown of 2fa code expiration

If the expiration is in five seconds or less, wait for the next verification code to limit the possibility of an authentication failure caused by time differences or connection latency.

Need more help?

If you have any questions about MFA or need assistance setting it up, contact our support team, and we’ll be happy to help.