Two-factor Authentication

Table of Contents


DNSimple supports two-factor authentication. This feature is available for free to all user profiles, regardless the subscribed plan of the associated accounts.

Two-factor authentication is a security measure that helps protect you from unwanted access to your account. Once enabled you are prompted to provide a verification code in addition to the username and password when you log in. The verification code is generated by an authenticator app and it is refreshed every 30 seconds.

Two-factor authentication helps mitigate the risk of unauthorized access to your user account and increases the security of your data. If somebody is able to steal your password, they will also need to get access to your authenticator app (generally installed on your mobile device) to login.

Enable two-factor authentication

You can enable two-factor authentication from your user page. Before proceeding, make sure to install an authenticator application as you will need it to generate a verification code in order to complete the setup.

When you enable two-factor authentication on a user account, all currently logged in devices will be logged out.

To enable two-factor authentication
  1. Log into your DNSimple account.
  2. Go to your user page, by selecting the link under your user menu.

    Settings menu

  3. Scroll down until you see the section and follow to start the wizard to enable the feature.

    Enable two-factor authentication

  4. Scan the barcode using an authenticator app. You can also enter the secret code in your authenticator app manually, just click on and type the code into your authenticator.

    Two-factor barcode

  5. Using the authenticator app, generate a verification code, enter the 6-digit verification code into the field, and press to confirm. If the verification code is correct you will be redirected to the next step, otherwise you will be asked to enter a new verification code.

  6. Copy and store the recovery code in a safe place.

    Two-factor recovery code

  7. Follow the instructions to complete the setup and activate two-factor authentication.

Disable two-factor authentication

To disable two-factor authentication
  1. Log into your DNSimple account.
  2. Go to your user page by selecting the link under your user menu.

    Settings menu

  3. Scroll down until you see the section and follow to go to the confirmation page.

    Disable two-factor authentication

  4. Click to confirm and disable two-factor authentication for the user account.

Login with two-factor authentication

When two-factor protection is enabled, you must enter a verification code each time you login with username and password. In order to login simply enter your username and password as usually and confirm.

If the credentials are correct, you will see a two-factor authentication window like the following one.

Two-factor authentication

Use your authenticator app to generate a verification code, paste the verification code into the form and submit.

The verification code automatically expires every 30 seconds. Most authenticator apps display a count-down with the remaining time before expiration. If the expiration is close to 5 seconds or less, you should wait for the next verification code to limit the possibility of an authentication failure caused by time differences or connection latency.

Recovery code

When you enable two-factor authentication, a recovery code is created as a safeguard. The recovery code is used to disable two-factor authentication for a user account when you can’t generate a token with the authenticator app, for example because you lost the device where the authenticator was installed.

The recovery code is the only way to recover access to your account in case you can’t generate a two-factor token. Therefore, make sure to store the recovery code in a safe and secure place. We cannot disable two-factor authentication without this recovery code!

When you enter a valid recovery code, the two-factor protection will be immediately disabled. You will need to enable it again, with a new barcode and recovery code, to keep your account protected.

To disable two-factor authentication using the recovery code
  1. Log into your DNSimple account using your username and password.

  2. On the two-factor authentication page, follow link

  3. Enter the recovery code and confirm.

  4. If the recovery code is correct the two-factor authentication protection will be immediately disabled for the account.

Multi-accounts

Two-factor protection is attached to a user profile, not to an account, exactly as your username and password credentials.

If an account has multiple users, each member will need to enable two-factor authentication separately. If your user profile has access to more than one account, you need to enable two-factor only once.

Authenticator applications

There are a large number of time-based two-factor authentication apps you can use to generate a verification code. One well-known application is Google Authenticator. It is available for several mobile platforms including Android, Blackberry and iOS devices.

The DNSimple two-factor implementation is based on RFC6238, also known as time-based one-time password (TOTP). Any application compatible with this specification can be used to generate a DNSimple two-factor verification code.

Here’s some recommended apps:

Upgrade from Authy

DNSimple has been supporting two-factor authentication since 2012. The original implementation was based on an external authentication platform called Authy.

The Authy authentication workflow is quite standard and similar to any other time-based two-factor authentication system. However, there are a few differences compared to the current TOTP implementation:

  • Authy doesn’t expose the authentication secret publicly. There is no barcode to scan or secret code to copy, therefore it’s only possible to generate a verification code using the Authy authenticator app or requesting a code via SMS.
  • Authy requires a mobile phone when activating the two-factor protection. The user is identified by the mobile phone.

DNSimple will eventually discontinue the support for the Authy two-factor platform, therefore the next time you log in, you will be prompted to migrate your two-factor authentication to our new system. Simply click the button at the bottom of the page when you next authenticate and follow the procedure presented to you for disabling Authy and enabling the new system.

The Authy authenticator app is currently designed to support both Authy and standard two-factor implementation. Therefore, if you want to keep using the Authy app, simply scan the barcode from the Authy app and use it to generate the verification code. Please note it will not be possible to use the previously configured Authy-based profile with the new two-factor system unless you scan the new barcode with the Authy app.

Best Practices for Two-Factor Authentication

For two-factor authentication to work properly, you must keep your token generator and your primary user credentials separate. This means, for example, that if you use your mobile device as your token generator then you should not have your primary user credentials on your mobile device, otherwise you lose the benefit of a true second factor in authentication.

If you decide to use your mobile device as both your token generator and for accessing your DNSimple user account, then you still get the added benefit of a one-time password for log in should your credentials be compromised, but you will not benefit from true two-factor authentication. Ultimately it is up to you to decide what level of security is important for you and your accounts.