Two-Factor Authentication

Table of Contents

DNSimple supports two-factor authentication. We make this feature available for free to all user profiles, regardless of the subscription plan of any associated accounts.

Two-factor authentication is a security measure that helps protect you from unwanted access to your account, and increases the security of your data. Once enabled, you’re prompted to provide a verification code in addition to your username and password when you log in. The verification code is generated by an authenticator app. It’s refreshed every 30 seconds.

Enabling two-factor authentication

You can enable two-factor authentication from your user page. Before proceeding, make sure to install an authenticator application. You’ll need it to generate a verification code to complete the setup.

When you enable two-factor authentication for your user profile, you’ll be logged out of all currently logged-in devices.

To enable two-factor authentication
  1. Log in to DNSimple with your user credentials.
  2. Go to your user page by selecting the link under your user menu.

    Settings menu

  3. Scroll down until you see the section. Follow to start the wizard to enable the feature.

    Enable two-factor authentication

  4. Scan the barcode using an authenticator app. You can also manually enter the secret code in your authenticator app, just click on , and type the code into your authenticator.

    Two-factor barcode

  5. Using the authenticator app, generate a verification code, enter the 6-digit verification code into the field, and press to confirm. If the verification code is correct, you’ll be redirected to the next step, otherwise you’ll be asked to enter a new verification code.

  6. Copy and store the recovery code in a safe place.

    Two-factor recovery code

  7. Follow the instructions to complete the setup and activate two-factor authentication.

Disabling two-factor authentication

To disable two-factor authentication
  1. Log in to DNSimple with your user credentials.
  2. Go to your user page by selecting the link under your user menu.

    Settings menu

  3. Scroll down until you see the section. Follow to go to the confirmation page.

    Disable two-factor authentication

  4. Click to confirm and disable two-factor authentication.

Logging in with two-factor authentication

When two-factor protection is enabled, you must enter a verification code each time you log in with your username and password. To log in, enter your username and password and confirm.

If the credentials are correct, you’ll see a two-factor authentication window:

Two-factor authentication

Use your authenticator app to generate a verification code, paste the verification code into the form and submit.

The verification code automatically expires every 30 seconds. Most authenticator apps display a count-down with the remaining time before expiration. If the expiration is close to five seconds or less, you should wait for the next verification code to limit the possibility of an authentication failure caused by time differences or connection latency.

Recovery code

When you enable two-factor authentication, a recovery code is created as a safeguard. Use the recovery code to disable two-factor authentication when you can’t generate a token with the authenticator app. For example, because you lost the device where the authenticator was installed.

The recovery code is the only way to recover access to your account if you can’t generate a two-factor token. Store the recovery code in a safe, secure place. We cannot disable two-factor authentication without this recovery code.

When you enter a valid recovery code, two-factor protection will immediately be disabled. To keep your account protected, you’ll need to enable it again with a new barcode and recovery code.

To disable two-factor authentication using the recovery code
  1. Log in to DNSimple with your user credentials.

  2. On the two-factor authentication page, follow .

  3. Enter the recovery code and confirm.

  4. If the recovery code is correct, the two-factor authentication protection will immediately be disabled for the account.

Multiple accounts

Two-factor protection is attached to a user profile, not an account, just like your username and password credentials.

If an account has multiple users, each member must enable two-factor authentication separately. If your user profile has access to more than one account, you only need to enable two-factor once.

Authenticator applications

DNSimple’s two-factor implementation is based on RFC6238, also known as time-based one-time password (TOTP). Any application compatible with this specification can be used to generate a DNSimple two-factor verification code.

There lots of time-based two-factor authentication apps that generate verification codes. Here are some we recommend:

Best Practices for Two-Factor Authentication

To benefit from true two-factor authentication, you must keep your token generator and your primary user credentials separate. For example, if you use your mobile device as your token generator, you shouldn’t have your primary user credentials on your mobile device.

If you decide to use your mobile device as both your token generator and for accessing DNSimple, you still get the added benefit of a one-time password for log in should your credentials be compromised, but you won’t benefit from true two-factor authentication. It’s up to you to decide what level of security is important for you and your accounts.