Two-Factor Authentication (2FA) Explained

Two-factor authentication is a 2 step process to help keep bad guys out of a computer account even if they have your password. For shorthand in this tutorial, Two-Factor Authentication will be referred to as 2FA.

2FA can be broken down into two steps, as the name implies:

Step 1, login to your Adafruit or other online account with your user name and password.

Step 2, being prompted to provide a code that was sent to your mobile device to let you access the account.

2FA requires that both step 1 and 2 are both completed on the device from which you are trying to access your account.  

How does 2FA work to protect you?

Let's examine how 2FA can help in the following scenario:

Pikachu is a super adorable popular streamer on Twitch. Pikachu has heard of his friend's account getting hacked, so he took action to step up 2FA on his Twitch account to stay protected. Now, every time, his login process will be 2 steps and one of the steps is to provide the text being sent to his phone.

Mimikyu is another Twitch user who dislikes Pikachu. He wants to get a hold of Pikachu's Twitch so he can demand a ransom (a lot of money) to return it. Mimikyu has managed to successfully guess step 1 of the login process, Pikachu's username and password. But Mimikyu cannot get past step 2 because he needs the code  sent to Pikachu's phone. Mimikyu, out of frustration, gives up without being able to steal Pikachu's account.

Score one for 2FA for being able to protect Pikachu from online attackers! pika pika!

2FA For Adafruit Accounts

At Adafruit Industries we are proud to be able to offer our community 2FA protection. Whether you want to use an Authentication app on your phone or just receive a SMS text message with the code to log in, please enable 2FA to add additional security to your account.

Do keep in mind, Mimikyu was able to successfully guess Pikachu's password, which was Pikapika123! This is not a very good password since it can be easily guessed given Pikachu's social media posts and the content he puts out.

Keep a lookout for our next guide on how to increase password complexity and use online password managers to prevent attackers from guessing your passwords so easily. 

Using the Authy App

For this Two Factor Authentication set up, we will be using the Authy App. It's very similar to the Google Authenticator App where once you log in with email and password. A code will be available on your Authy App for the account you are trying to access. Note, the codes on the Authy app change consistently every 30 seconds. 

Quick Start

Here is an outline of the steps to take to enable 2FA on your account using the Authy app:

  1. Login to your Adafruit Account
  2. Navigate to "My Account"
  3. Under "My Account" select "Security and Privacy"
  4. In "Security and Privacy" select "Edit two-factor authentication settings"
  5. Download the Authy app from the iOS/Play Store
  6. Using the app scan the QR code shown in the screen
  7. Provide the code sent to the app to enable 2FA

Step by Step Instructions

 

Step 1 & 2. Login to your Adafruit Account & Navigate to "My Account"

Now let's get started by signing into an Adafruit account and navigating to "My Account" as shown in the screenshot below:

Step 3. Under "My Account" select "Security and Privacy"

The 2FA enabling setting can be found under the Security & Privacy settings in your account. Continue by clicking on the "Security and Privacy" option highlighted in red in the image below: 

Step 4. Select "Edit two-factor authentication settings"

In Security and Privacy, notice the red letters stating 2FA is disabled. By default, 2FA is disabled on every account. We will want to start the process to enable it and add a layer of security to the account. 

Continue by clicking in the text "Edit two-factor authentication settings" which is the second portion highlighted in yellow down below:

Continue by selecting "Click here to Enable" in order to continue setting up 2FA on your account. 

You will be redirected to a page with a QR code. This code will be used to setup the 2FA using the Authy app. You can scan the QR code once you download the Authy app.

Step 5. Download the Authy app & Step 6. Using the app scan the QR code

Once you have downloaded  the Authy App follow these steps:

1) On the Authy app, top right corner click "add an account".

2) Scan the QR Code shown on the Adafruit site to set up 2FA

To the left is an example of what the authentication code for your Adafruit account will be displayed on the Authy App. 

You will see this code after scanning the QR Code on the screen with the app.


Step 7. Provide the code sent to the app to enable 2FA

Enter the code shown under the email you use for your Adafruit Account in the prompt asking for "AUTHENTICATION CODE"

After select to continue, you will be then prompted to copy and save an emergency code that can be used in case your mobile device gets lost you can use this code one time to access your account.

Save the code and select "I have copied the code" to finalize the 2FA enabling process. 

Now every time you sign in and out of your Adafruit account, you will be asked for the authentication code which you will retrieve from the Authy App.

2FA acts as a protective barrier between you and the application you are trying to access. Even if your password gets compromised, you are guaranteed that the information in the account will be safe from whoever is trying to access the account.

As long as you have the authenticator app, your phone, or even the backup code that was generated for you – only you should be able to access the account.

Using Google Autheticator

A second way to enable Two-Factor Authentication (2FA) is by using an authentication app. You can also set the 2FA using SMS, as noted on the previous page if you do not want to use an app. However, for this 2FA set up, we will be using Google Authenticator app.  

Quick Start

Here is an outline of the steps to take to enable 2FA on your account using the authentication app   Google Authenticator. 

  1. Login to your Adafruit Account
  2. Navigate to "My Account"
  3. Under "My Account" select "Security and Privacy"
  4. In "Security and Privacy" select "Edit two-factor authentication settings"
  5. Download Google Authenticator from the iOS/Play Store
  6. Using the app scan the QR code shown in the screen
  7. Provide the code sent to the app to enable 2FA

Step by Step Instructions

 

Step 1 & 2. Login to your Adafruit Account & Navigate to "My Account"

Now let's get started by signing into an Adafruit account and navigating to "My Account" as shown in the screenshot below:

Step 3. Under "My Account" select "Security and Privacy"

The 2FA enabling setting can be found under the Security & Privacy settings in your account. 


Continue by clicking on the "Security and Privacy" option highlighted in red in the image below: 

Step 4. Select "Edit two-factor authentication settings"

In Security and Privacy, notice the red letters stating 2FA is disabled. By default, 2FA is disabled on every account. We will want to start the process to enable it and add a layer of security to the account. 

Continue by clicking in the text "Edit two-factor authentication settings" which is the second portion highlighted in yellow down below:

Continue by selecting "Click here to Enable" in order to continue setting up 2FA on your account. 

You will be redirected to a page with a QR code. This code will be used to setup the 2FA using the Google Authenticator app in this case.

Step 5. Download the Authentication app

At this time, go to your phone's app store and download the Google authentication application or whatever application you have chosen.. 

Step 6. Scanning the QR Code

Once you download the app select to "scan a barcode"  and allow the app to use your camera so you can take a picture of the QR code on the screen.

Step 7. Saving the Code to enable 2FA

After you take a picture of the QR code, you will be shown a code. Note this code will change every 30 seconds - the time left to use the code is shown by the loading blue circle circled in red in the screenshot below.

Continue to enter the code without spaces, just the numbers.

Enter the code which you see in your Google Authenticator app here.

After select to continue, you will be then prompted to copy and save an emergency code which can be used in case your mobile device gets lost you can use this code one time to access your account.

Save the code and select "I have copied the code" to finalize the 2FA enabling process. 

Now every time you sign in and out of your Adafruit account, you will be asked for the authentication code which you will retrieve from the Google Authenticator App.

2FA acts as a protective barrier between you and the application you are trying to access. Even if your password gets compromised, you are guaranteed that the information in the account will be safe from whoever is trying to access the account.

As long as you have the authenticator app, your phone, or even the backup code that was generated for you – only you should be able to access the account.

Using SMS (Text Message)

At Adafruit, we highly encourage our community to enable two factor authentication to add a layer of security to your profile.  As mentioned before, Two-Factor Authentication is a two step process where step 1 is to login to your account with your username and password and step 2 is to provide a code that is obtained on a physical device you possess, either a phone, USB key, or other devices! 

This write up will show how to set up Two-Factor Authentication (2FA) so you can receive a code to your cell phone via a text message.  You can also set the 2FA by using an app. That process is shown on the next page. 

Quick Start

Here is a quick overview of how to set up 2FA via SMS (text message):

  1. Login to your Adafruit Account
  2. Navigate to "My Account"
  3. Under "My Account" select "Security and Privacy"
  4. In "Security and Privacy" select "Edit two-factor authentication settings"
  5. Select the text under the QR code titled "Don't have a compatible device use SMS instead" 
  6. Enter your phone number
  7. Provide the code sent to you to enable 2FA
  8. Save the emergency code somewhere safe
  9. Verify 2FA is enabled

Step By Step Instructions

Step 1 & 2. Login to your Adafruit Account & Navigate to "My Account"

Start by signing into an Adafruit account and navigating to "My Account" as shown in the screenshot below:

Step 3. Under "My Account" select "Security and Privacy"

The 2FA enabling setting can be found under the Security & Privacy settings in your account.


Continue by clicking on the "Security and Privacy" option highlighted in red

In Security and Privacy, notice the red letters stating 2FA is disabled. By default 2FA is disabled on every account. We will want to start the process to enable it and add a layer of security to the account. 

Step 4. Select "Edit two-factor authentication settings"

Continue by clicking in the text "Edit two-factor authentication settings" which is the second portion highlighted in yellow below: 

Continue by selecting "Click here to enable" to begin the 2FA set up process.

You will now see a QR code black and white image which may be scanned with the Google Authenticator App to obtain a code. However, for using SMS, we want to be sent a text with the code and not have to scan a QR code for the code. 

Step 5. Select "Don't have a compatible device use SMS instead" 

Continue by selecting the text under the QR code image which reads, "Don't have a compatible device use SMS instead." 

Step 6. Enter your phone number

You will be prompted for a mobile number to which an authentication code will always be texted to in order to successfully log you into your account each time. Make sure the mobile number you enter is a number to which you always have access to the physical device for, such as your cell phone.

International numbers can be entered selecting your country first.

Enter your phone number to be sent the confirmation code

Step 7. Provide the code sent to you to enable 2FA

After entering your mobile phone number, you will be sent a text message with an authentication code. You will need to enter in the authentication code prompt in order to turn on 2FA. 

Enter the code in the authentication code input box, which will look similar to the one highlighted in yellow

Step 8. Save The Emergency Code

After selecting Continue, you will be prompted to copy and save an emergency code which can be used in case your mobile device gets lost. With this, you can use the code one time to access your account.

 

Save the code and select "I have copied the code" to finalize the 2FA enabling process.

Step 9. Verify 2FA is Enabled

Checking back to the "Security and Privacy" settings you should now see 2FA is enabled in green letters. Congratulations, you have taken the step to add protection to your account!

hacks_Untitled3.jpg
2FA status should be enabled as shown in this image

Every time you log into your Adafruit account, you will be prompted to enter an authentication code, which will be sent to you via SMS automatically after you enter your username and password. 

Another method of 2FA: U2F

We have covered some of the methods 2FA can be implemented such as using authenticator apps and SMS text messages. These methods are vulnerable to man-in-the-middle attacks where an attacker can intercept SMS messages to obtain your verification code. Which is why we will be explaining a different method of 2FA. 

Another method in which 2FA can be implemented is called Universal 2nd Factor (U2F). U2F was developed by Google and Yubico, the maker of hardware devices used as an authentication key known as Yubikeys. U2F uses physical hardware devices such as a USB or NFC which can be used to login to your account after you provide your email and password. 

To learn more about U2F devices such as the Yubikeys, here is a link to how Yubico describes the importance of  U2F : Yubico on U2F and why it's important.

FIDO U2F Security Key - U2F USB Two Step Authentication Security

PRODUCT ID: 3363
It's never been more important to add two-factor authentication to your online accounts. Two-factor adds another layer of protection in case your password is stolen or...
$9.95
IN STOCK

Account Verification

After setting up 2FA on your Adafruit account, make sure to verify your account.

Account verification helps the company verify a person it behind each Adafruit account. This will really help the team stop any kind of abuse on the platform such as: fake account generation, bots etc. 

Steps

Account verification is just three steps:

  1. If your account status says "Account Not Verified", an email will be sent to verify it
  2. In your email click on the link to verify you account 
  3. Confirm your verification status is changed to verified

Steps 1 & 2. Getting a Verification Email

After logging into your Adafruit account under Security and Privacy, check the Account Verification status. If the status reads "Account Not Verified", click the blue hyperlink right under it to 
"Send Account Verification Email." This will email you a verification email.

In your email, click  on the link which reads, "Verify my account"

Note the red rectangle illustrating the account verification settings below:

hacks_account-verification.jpg
Notice the "Account Not Verified" status we will need to verify it

Step 3. Confirming your Verification Status 

In the Security & Privacy settings, check back to see that the account verification status has changed to "Account Verified" as shown in the area enclosed in the red rectangle below:

hacks_Screen_Shot_2019-05-22_at_2.03.39_PM.png
After you verify your account the account status should change to green

Thank you for helping Adafruit improve our platform to provide the best experience for our community. 

Monitoring Your Account

Quick Intro 

At Adafruit, we have an option to help you keep logs of who is logging into your account.  If you choose to opt-in to the notification service, you will receive an email every time your account is logged into. 

The email will contain:

  1. Public IP of the device used to log into your account
  2. Username/email of the account being accessed on Adafruit
  3. The data and time your account was accessed

An email example is shown in the screenshot below:

Instructions

To opt-in to receive the notification, it's as easy as 123,

Steps:

1. Log into your Adafruit Account

2. Go to Account. This is next to your name in the upper right hand of the screen for desktop/laptop when you are logged in. On mobile, select the three horizontal lines in the upper left and touch Account (you need to Sign In to get the Account option).

3. In Account, select Security & Privacy select the checkbox to opt-in to new session notifications

hacks_Screen_Shot_2019-06-19_at_2.30.47_PM.png
opt-in to receive session notification in from your account

Impact

Monitoring on your account is important. If there is a suspicious login you do not recognize, you can take immediate measures. 

Some measures include changing your password and revoking access to the device with the suspicious IP (Internet) address.

This guide was first published on May 21, 2019. It was last updated on May 21, 2019.