Two-factor authentication is a 2 step process to help keep bad guys out of a computer account even if they have your password. For shorthand in this tutorial, Two-Factor Authentication will be referred to as 2FA.

2FA can be broken down into two steps, as the name implies:

Step 1, login to your Adafruit or other online account with your user name and password.

Step 2, being prompted to provide a code that was sent to your mobile device to let you access the account.

2FA requires that both step 1 and 2 are both completed on the device from which you are trying to access your account.  

How does 2FA work to protect you?

Let's examine how 2FA can help in the following scenario:

Pikachu is a super adorable popular streamer on Twitch. Pikachu has heard of his friend's account getting hacked, so he took action to step up 2FA on his Twitch account to stay protected. Now, every time, his login process will be 2 steps and one of the steps is to provide the text being sent to his phone.

Mimikyu is another Twitch user who dislikes Pikachu. He wants to get a hold of Pikachu's Twitch so he can demand a ransom (a lot of money) to return it. Mimikyu has managed to successfully guess step 1 of the login process, Pikachu's username and password. But Mimikyu cannot get past step 2 because he needs the code  sent to Pikachu's phone. Mimikyu, out of frustration, gives up without being able to steal Pikachu's account.

Score one for 2FA for being able to protect Pikachu from online attackers! pika pika!

2FA For Adafruit Accounts

At Adafruit Industries we are proud to be able to offer our community 2FA protection. Whether you want to use an Authentication app on your phone or just receive a SMS text message with the code to log in, please enable 2FA to add additional security to your account.

Do keep in mind, Mimikyu was able to successfully guess Pikachu's password, which was Pikapika123! This is not a very good password since it can be easily guessed given Pikachu's social media posts and the content he puts out.

Keep a lookout for our next guide on how to increase password complexity and use online password managers to prevent attackers from guessing your passwords so easily. 

For this Two Factor Authentication set up, we will be using the Twilio Authy App. It's very similar to the Google Authenticator App where once you log in with email and password. A code will be available on your Twilio Authy App for the account you are trying to access. Note, the codes on the Twilio Authy app change consistently every 30 seconds. 

Quick Start

Here is an outline of the steps to take to enable 2FA on your account using the Twilio Authy app:

  1. Login to your Adafruit Account
  2. Navigate to "My Account"
  3. Under "My Account" select "Security and Privacy"
  4. In "Security and Privacy" select "Edit two-factor authentication settings"
  5. For mobile devices download the Twilio Authy app from the iOS/Play Store. For Desktop versions for Windows/Mac/Linux are available here at authy.com
  6. Using the app scan the QR code shown in the screen
  7. Provide the code sent to the app to enable 2FA

Step by Step Instructions

 

Step 1 & 2. Login to your Adafruit Account & Navigate to "My Account"

Now let's get started by signing into an Adafruit account and navigating to "My Account" as shown in the screenshot below:

Step 3. Under "My Account" select "Security and Privacy"

The 2FA enabling setting can be found under the Security & Privacy settings in your account. Continue by clicking on the "Security and Privacy" option highlighted in red in the image below: 

Step 4. Select "Edit two-factor authentication settings"

In Security and Privacy, notice the red letters stating 2FA is disabled. By default, 2FA is disabled on every account. We will want to start the process to enable it and add a layer of security to the account. 

Continue by clicking in the text "Edit two-factor authentication settings" which is the second portion highlighted in yellow down below:

Continue by selecting "Click here to Enable" in order to continue setting up 2FA on your account. 

You will be redirected to a page with a QR code. This code will be used to setup the 2FA using the Twilio Authy app. You can scan the QR code once you download the Authy app.

Step 5. Download the Twilio Authy app & Step 6. Using the app scan the QR code

Once you have downloaded  the Twilio Authy App follow these steps:

1) On the Twilio Authy app, top right corner click "add an account".

2) Scan the QR Code shown on the Adafruit site to set up 2FA

To the left is an example of what the authentication code for your Adafruit account will be displayed on the Twilio Authy App. 

You will see this code after scanning the QR Code on the screen with the app.


Step 7. Provide the code sent to the app to enable 2FA

Enter the code shown under the email you use for your Adafruit Account in the prompt asking for "AUTHENTICATION CODE"

After select to continue, you will be then prompted to copy and save an emergency code that can be used in case your mobile device gets lost you can use this code one time to access your account.

Save the code and select "I have copied the code" to finalize the 2FA enabling process. 

Now every time you sign in and out of your Adafruit account, you will be asked for the authentication code which you will retrieve from the Twilio Authy App.

2FA acts as a protective barrier between you and the application you are trying to access. Even if your password gets compromised, you are guaranteed that the information in the account will be safe from whoever is trying to access the account.

As long as you have the authenticator app, your phone, or even the backup code that was generated for you – only you should be able to access the account.

A second way to enable Two-Factor Authentication (2FA) is by using an authentication app. 

Quick Start

Here is an outline of the steps to take to enable 2FA on your account using the authentication app   Google Authenticator. 

  1. Login to your Adafruit Account
  2. Navigate to "My Account"
  3. Under "My Account" select "Security and Privacy"
  4. In "Security and Privacy" select "Edit two-factor authentication settings"
  5. Download Google Authenticator from the iOS/Play Store
  6. Using the app scan the QR code shown in the screen
  7. Provide the code sent to the app to enable 2FA

Step by Step Instructions

 

Step 1 & 2. Login to your Adafruit Account & Navigate to "My Account"

Now let's get started by signing into an Adafruit account and navigating to "My Account" as shown in the screenshot below:

Step 3. Under "My Account" select "Security and Privacy"

The 2FA enabling setting can be found under the Security & Privacy settings in your account. 


Continue by clicking on the "Security and Privacy" option highlighted in red in the image below: 

Step 4. Select "Edit two-factor authentication settings"

In Security and Privacy, notice the red letters stating 2FA is disabled. By default, 2FA is disabled on every account. We will want to start the process to enable it and add a layer of security to the account. 

Continue by clicking in the text "Edit two-factor authentication settings" which is the second portion highlighted in yellow down below:

Continue by selecting "Click here to Enable" in order to continue setting up 2FA on your account. 

You will be redirected to a page with a QR code. This code will be used to setup the 2FA using the Google Authenticator app in this case.

Step 5. Download the Authentication app

At this time, go to your phone's app store and download the Google authentication application or whatever application you have chosen.. 

Step 6. Scanning the QR Code

Once you download the app select to "scan a barcode"  and allow the app to use your camera so you can take a picture of the QR code on the screen.

Step 7. Saving the Code to enable 2FA

After you take a picture of the QR code, you will be shown a code. Note this code will change every 30 seconds - the time left to use the code is shown by the loading blue circle circled in red in the screenshot below.

Continue to enter the code without spaces, just the numbers.

Enter the code which you see in your Google Authenticator app here.

After select to continue, you will be then prompted to copy and save an emergency code which can be used in case your mobile device gets lost you can use this code one time to access your account.

Save the code and select "I have copied the code" to finalize the 2FA enabling process. 

Now every time you sign in and out of your Adafruit account, you will be asked for the authentication code which you will retrieve from the Google Authenticator App.

2FA acts as a protective barrier between you and the application you are trying to access. Even if your password gets compromised, you are guaranteed that the information in the account will be safe from whoever is trying to access the account.

As long as you have the authenticator app, your phone, or even the backup code that was generated for you – only you should be able to access the account.

Please note the option to use SMS is no longer available. Please set up 2FA with Twilio Authy or the Google Authenticator App

At Adafruit, we highly encourage our community to enable two factor authentication to add a layer of security to your profile.  As mentioned before, Two-Factor Authentication is a two step process where step 1 is to login to your account with your username and password and step 2 is to provide a code that is obtained on a physical device you possess, either a phone, USB key, or other devices! 

This write up will show how to set up Two-Factor Authentication (2FA) so you can receive a code to your cell phone via a text message.  You can also set the 2FA by using an app. That process is shown on the next page. 

Quick Start

Here is a quick overview of how to set up 2FA via SMS (text message):

  1. Login to your Adafruit Account
  2. Navigate to "My Account"
  3. Under "My Account" select "Security and Privacy"
  4. In "Security and Privacy" select "Edit two-factor authentication settings"
  5. Select the text under the QR code titled "Don't have a compatible device use SMS instead" 
  6. Enter your phone number
  7. Provide the code sent to you to enable 2FA
  8. Save the emergency code somewhere safe
  9. Verify 2FA is enabled

Step By Step Instructions

Step 1 & 2. Login to your Adafruit Account & Navigate to "My Account"

Start by signing into an Adafruit account and navigating to "My Account" as shown in the screenshot below:

Step 3. Under "My Account" select "Security and Privacy"

The 2FA enabling setting can be found under the Security & Privacy settings in your account.


Continue by clicking on the "Security and Privacy" option highlighted in red

In Security and Privacy, notice the red letters stating 2FA is disabled. By default 2FA is disabled on every account. We will want to start the process to enable it and add a layer of security to the account. 

Step 4. Select "Edit two-factor authentication settings"

Continue by clicking in the text "Edit two-factor authentication settings" which is the second portion highlighted in yellow below: 

Continue by selecting "Click here to enable" to begin the 2FA set up process.

You will now see a QR code black and white image which may be scanned with the Google Authenticator App to obtain a code. However, for using SMS, we want to be sent a text with the code and not have to scan a QR code for the code. 

Step 5. Select "Don't have a compatible device use SMS instead" 

Continue by selecting the text under the QR code image which reads, "Don't have a compatible device use SMS instead." 

Step 6. Enter your phone number

You will be prompted for a mobile number to which an authentication code will always be texted to in order to successfully log you into your account each time. Make sure the mobile number you enter is a number to which you always have access to the physical device for, such as your cell phone.

International numbers can be entered selecting your country first.

Enter your phone number to be sent the confirmation code

Step 7. Provide the code sent to you to enable 2FA

After entering your mobile phone number, you will be sent a text message with an authentication code. You will need to enter in the authentication code prompt in order to turn on 2FA. 

Enter the code in the authentication code input box, which will look similar to the one highlighted in yellow

Step 8. Save The Emergency Code

After selecting Continue, you will be prompted to copy and save an emergency code which can be used in case your mobile device gets lost. With this, you can use the code one time to access your account.

 

Save the code and select "I have copied the code" to finalize the 2FA enabling process.

Step 9. Verify 2FA is Enabled

Checking back to the "Security and Privacy" settings you should now see 2FA is enabled in green letters. Congratulations, you have taken the step to add protection to your account!

hacks_Untitled3.jpg
2FA status should be enabled as shown in this image

Every time you log into your Adafruit account, you will be prompted to enter an authentication code, which will be sent to you via SMS automatically after you enter your username and password. 

We have covered some of the 2FA methods that can be implemented in your account such as using authenticator apps and SMS text messages. However, it should be noted both of these methods are vulnerable to man-in-the-middle attacks where an attacker can intercept SMS messages to obtain your verification code. Which is why we will be explaining a different method of 2FA. 

Another method in which 2FA can be implemented is called Universal 2nd Factor (U2F). U2F was developed by Google and Yubico, the maker of hardware devices used as an authentication key known as Yubikeys. U2F uses physical hardware devices such as a USB or NFC which can be used to login to your account after you provide your email and password. 

To learn more about U2F devices such as the Yubikeys, here is a link to how Yubico describes the importance of  U2F : Yubico on U2F and why it's important.

FIDO2 U2F Security Key
It's never been more important to add two-factor authentication to your online accounts. Two-factor adds another layer of protection in case your password is stolen or...
$9.95
In Stock

Quick Start

Here is an outline of the steps to take to enable U2F on your account using a security key:

  1. Login to your Adafruit Account
  2. Navigate to "My Account"
  3. Under "My Account" select "Security and Privacy"
  4. In "Security and Privacy" select "Edit two-factor authentication settings"
  5. Enter a nickname for the security key you will be using and select to "add credential"
  6. You will be prompted to verify your identity with accounts.adafruit.com select the option of "External security key or built-in sensor" 
  7. You will then be prompted to insert your security key into the USB port of your computer, ensure you insert they key
  8. We used a Yubikey security key which prompts the user to then press down on the golden circle after it has been inserted and the light starts to flicker
  9. The nickname of your key will now appear as well as the date is was added in your 2FA settings
  10. Next time you log into your account you will be prompted to insert the same key you used in this guide into your computer's USB port and touch the key to log into your Adafruit account. 

Step by Step Instructions

Step 1 & 2. Login to your Adafruit account & navigate to  "Account Settings"

Now let's get started by signing into an Adafruit account and navigating to "Account Settings" as shown in the screenshot below:

Step 3. Under "Account" select "Security & Privacy"

The 2FA enabling setting can be found under the Security & Privacy settings in your account. Continue by clicking on the "Security and Privacy" option highlighted in red in the image below: 

Step 4. Select "Edit two-factor authentication settings"

In Security and Privacy, notice the green letters stating 2FA is enabled. You can revisit a previous tutorial to learn how to enabled 2FA here

Continue by clicking in the text "Edit two-factor authentication settings" which is the second portion highlighted in yellow down below:

Step 5. Enter a nickname for the security key you will be using, then select "add credential"

Step 6. You will be prompted to verify your identity with accounts.adafruit.com select the option of "External security key or built-in sensor"

Step 7. You will then be prompted to insert your security key into the USB port of your computer & Step 8. You will be instructed to touch your key after it has been inserted and is blinking a light

Ensure you insert the security key directly into one of the USB ports located in your computer. Once the key is inserted into the USB port of your computer it should start blinking a light. If you do not see a blinking flip it around as it might have been inserted backwards. Once you see the blinking light press the golden circle down with your thumb. 

Step 9. The nickname of your key will now appear as well as the date is was added under the "Add Security Key" section

When the key is successfully added you will see a prompt stating "Security key successfully added to your account" as well as the nickname of your key under the "Add a Security Key" section. 

Step 9. Next time you log into your account you will be prompted to insert the same key you used in this guide into your computer's USB port and touch the key to log into your Adafruit account. 

Ensure you keep your key in a safe place as every time you log into your Adafruit account the physical key will be required to access your account. 

After setting up 2FA on your Adafruit account, make sure to verify your account.

Account verification helps the company verify a person it behind each Adafruit account. This will really help the team stop any kind of abuse on the platform such as: fake account generation, bots etc. 

Steps

Account verification is just three steps:

  1. If your account status says "Account Not Verified", an email will be sent to verify it
  2. In your email click on the link to verify you account 
  3. Confirm your verification status is changed to verified

Steps 1 & 2. Getting a Verification Email

After logging into your Adafruit account under Security and Privacy, check the Account Verification status. If the status reads "Account Not Verified", click the blue hyperlink right under it to 
"Send Account Verification Email." This will email you a verification email.

In your email, click  on the link which reads, "Verify my account"

Note the red rectangle illustrating the account verification settings below:

hacks_account-verification.jpg
Notice the "Account Not Verified" status we will need to verify it

Step 3. Confirming your Verification Status 

In the Security & Privacy settings, check back to see that the account verification status has changed to "Account Verified" as shown in the area enclosed in the red rectangle below:

hacks_Screen_Shot_2019-05-22_at_2.03.39_PM.png
After you verify your account the account status should change to green

Thank you for helping Adafruit improve our platform to provide the best experience for our community. 

Quick Intro 

At Adafruit, we have an option to help you keep logs of who is logging into your account.  If you choose to opt-in to the notification service, you will receive an email every time your account is logged into. 

The email will contain:

  1. Public IP of the device used to log into your account
  2. Username/email of the account being accessed on Adafruit
  3. The data and time your account was accessed

An email example is shown in the screenshot below:

Instructions

To opt-in to receive the notification, it's as easy as 123,

Steps:

1. Log into your Adafruit Account

2. Go to Account. This is next to your name in the upper right hand of the screen for desktop/laptop when you are logged in. On mobile, select the three horizontal lines in the upper left and touch Account (you need to Sign In to get the Account option).

3. In Account, select Security & Privacy select the checkbox to opt-in to new session notifications

hacks_Screen_Shot_2019-06-19_at_2.30.47_PM.png
opt-in to receive session notification in from your account

Impact

Monitoring on your account is important. If there is a suspicious login you do not recognize, you can take immediate measures. 

Some measures include changing your password and revoking access to the device with the suspicious IP (Internet) address.

Adafruit is currently requiring a verified account with two-factor authentication enabled in order to purchase certain high-demand products, such as Raspberry Pi computers, due to a large number of bot-purchasers making it difficult for Makers and Engineers to order these products.

Please make sure you have a verified Adafruit account and enable two-factor authentication. Finally, you will need to sign out and back in to activate the account verification.

Why is Adafruit doing this? Why doesn't Adafruit allow these bots to buy up stock and set a market price that matches supply / demand?

Right now there's a serious silicon/chip shortage which is making it hard to keep some boards like the Raspberry Pi stocked. There's also a lot of people who want to use RasPi's for their products and projects!

Since Adafruit is a member of the hacker/maker/engineering community, we want to make sure that folks who are learning and creating with electronics have a chance to pick up a Raspberry Pi.

We set a limit of '1 per customer' but found that there were automated or semi-automated purchasers who would repeatedly order multiple boards for resale on auction sites. We think there are enough RasPi's for most people who want one, but they were having to compete with people who were not following the '1 per customer' rule and using automated tools to purchase large quantities before most folks had a chance to check out.

What does Raspberry Pi Foundation think about what Adafruit is doing?

They are really supportive of our efforts to get Pi's to the students, makers, and engineers!

In an interview with ZDNet, Eben Upton (co-founder of Raspberry Pi) said:

Any time a product is in short supply you're going to see bots trying to grab stock to resell at a margin: graphic cards are the classic recent example of this. This is parasitic behaviour, and it's great to see people like Adafruit taking measures to stop it

You can tell its really Eben because he spells behavior with a u ;)

How effective is this? This seems like it won't work and can be easily bypassed.

It's actually working out pretty well! In addition to 2FA & account verification requirements, we have added several updates to our checkout process to either outright prevent or significantly mitigate automated repeat purchases of high-demand products such as Raspberry Pi 4's.

Our support team has introduced additional human-lead reviews and audits of flagged orders containing these products.

Prior to these efforts, we were seeing Raspberry Pi sell-through rates of several hundred per minute. Currently, we are selling about 12 Raspberry Pi 4s per minute when restocked.

1-per-customer limits, 2FA, and verified accounts are all part of a multi-pronged system that we use to make purchasing Pi's fairer.

Why is Adafruit gradually releasing stock? Why not release them all at once?

We currently have a very limited supply of Raspberry Pi 4s that we are gradually releasing in batches of ~300. We have chosen this approach for several reasons:

  1. To avoid additional strain on our staff  when reviewing and shipping these orders,
  2. To give customers multiple weekly opportunities to purchase a Raspberry Pi 4,
  3. To allow us to observe new & evolving bot behaviors and adjust our approach based on what we observe.

Why does it seem like Adafruit is releasing 1 or 2 units at a time sometimes?

Our support team returns items to stock when reviewing fraudulent or automated orders. This means individual units are automatically returned to stock and made available to purchase from time to time.

If I buy a 4Gb Pi 4 do I have to wait to buy a 8gb Pi 4?
Yes, at this time it's 1 Pi unit of any type. Once we have more supply, we will update what's allowed.

If I ordered a Pi of any kind, how long do I have to wait?
At this time it's one Pi computer/compute module unit, of any kind, per customer/location - when and if we can allocate more we will update these restrictions and provide a time when additional orders can be placed. Another order cannot be placed until we can allocate more.

What other products are included in purchase limits at this time?
PJRC Teensy 4.1 Development Board.

I signed up to be notified by email when Raspberry Pi 4s go back in stock. Why am I not being notified?

We send "back in stock notifications" in a first come, first served order and use the number of units of available stock as the limiting factor when deciding how many emails to send. For a popular product such as Raspberry Pi 4s, this means for every 300 units we put into stock we notify between 300 - 600 customers based on the order they signed up to be notified.

If you missed out on a notification - please sign up again, we do notify everyone and we do our best to notify a reasonable number of people!

Why is Adafruit requiring app-based 2FA and not allowing SMS?

SMS-based 2FA is relatively easy to spoof and difficult to support internationally. Using app or computer-based TOTP 2FA is free, available on every platform, and is reliable and secure.

I think you could totally fix this problem by doing XYZ... why dont you 'just' do what I came up with?

I bet you do! The developer and customer support team members at Adafruit have been discussing all sorts of techniques from SteamDeck-like reservations, to backorders, to passworded checkout (we did this with the x0xb0x, our first product!), to customized tokens in notification emails...

Like all engineering problems, there's trade-offs to each 'fix' - each one of the options above have implementation and usage downsides (even if they may not be obvious to casual observers) because of the way the Adafruit stock, checkout, support and shipping workflow happens.

Right now, the 2FA + verified email + human oversight technique is working out pretty well! We will adjust and refine the process as we continue to stock and sell Raspberry Pi's.

For this Two Factor Authentication set up, we will be using the Twilio Authy App. It's very similar to the Google Authenticator App where once you log in with email and password. A code will be available on your Twilio Authy App for the account you are trying to access. Note, the codes on the Twilio Authy app change consistently every 30 seconds. 

Quick Start

Here is an outline of the steps to take to enable 2FA on your account using the Twilio Authy app:

  1. Login to your Adafruit Account
  2. Navigate to "My Account"
  3. Under "My Account" select "Security and Privacy"
  4. In "Security and Privacy" select "Edit two-factor authentication settings"
  5. For mobile devices download the Twilio Authy app from the iOS/Play Store. For Desktop versions for Windows/Mac/Linux are available here at authy.com
  6. Using the app scan the QR code shown in the screen
  7. Provide the code sent to the app to enable 2FA

Step by Step Instructions

 

Step 1 & 2. Login to your Adafruit Account & Navigate to "My Account"

Now let's get started by signing into an Adafruit account and navigating to "My Account" as shown in the screenshot below:

Step 3. Under "My Account" select "Security and Privacy"

The 2FA enabling setting can be found under the Security & Privacy settings in your account. Continue by clicking on the "Security and Privacy" option highlighted in red in the image below: 

Step 4. Select "Edit two-factor authentication settings"

In Security and Privacy, notice the red letters stating 2FA is disabled. By default, 2FA is disabled on every account. We will want to start the process to enable it and add a layer of security to the account. 

Continue by clicking in the text "Edit two-factor authentication settings" which is the second portion highlighted in yellow down below:

Continue by selecting "Click here to Enable" in order to continue setting up 2FA on your account. 

You will be redirected to a page with a QR code. This code will be used to setup the 2FA using the Twilio Authy app. You can scan the QR code once you download the Authy app.

Step 5. Download the Twilio Authy app & Step 6. Using the app scan the QR code

Once you have downloaded  the Twilio Authy App follow these steps:

1) On the Twilio Authy app, top right corner click "add an account".

2) Scan the QR Code shown on the Adafruit site to set up 2FA

To the left is an example of what the authentication code for your Adafruit account will be displayed on the Twilio Authy App. 

You will see this code after scanning the QR Code on the screen with the app.


Step 7. Provide the code sent to the app to enable 2FA

Enter the code shown under the email you use for your Adafruit Account in the prompt asking for "AUTHENTICATION CODE"

After select to continue, you will be then prompted to copy and save an emergency code that can be used in case your mobile device gets lost you can use this code one time to access your account.

Save the code and select "I have copied the code" to finalize the 2FA enabling process. 

Now every time you sign in and out of your Adafruit account, you will be asked for the authentication code which you will retrieve from the Twilio Authy App.

2FA acts as a protective barrier between you and the application you are trying to access. Even if your password gets compromised, you are guaranteed that the information in the account will be safe from whoever is trying to access the account.

As long as you have the authenticator app, your phone, or even the backup code that was generated for you – only you should be able to access the account.

This guide was first published on May 21, 2019. It was last updated on 2022-08-22 11:33:31 -0400.