2-Factor & Multi-Factor Authentication

Owned by Johnson Nguyen
Last updated: Oct 25, 2024
9 min read

 

At the LF, we believe that protecting your work environment should be the top priority for all our users. With that, we recommend everyone setup 2FA on their accounts. 

2FA can be via phone or 3rd party applications. Below are some of the 3rd party applications we recommend using

Understanding 2FA & Why we use it

2FA, or Two-Factor Authentication, is a security measure designed to add an extra layer of protection to your online accounts and services. It enhances the traditional username and password login process by requiring an additional piece of information to verify your identity.

2FA is particularly crucial for accounts containing sensitive data, such as email, online banking, social media, or any service where your personal information is stored. It provides an added layer of defense against identity theft, unauthorized access, and potential financial loss. 

Enabling 2FA is relatively simple, and many online services and platforms offer this feature. It is strongly recommended to activate 2FA wherever possible to enhance your online security and protect your digital identity. We recommend using one, two or all of the methods below to keep your account and data safe

Using YubiKey

Using Yubikey U2F for 2-factor authentication

What is U2F?

U2F stands for "Universal 2nd-Factor" and solves many security and usability problems of other 2-factor authentication mechanisms. It was developed by FIDO, which is an industry alliance working to improve online security across multiple device and service vendors.

U2F was developed specifically for browser-based authentication and has built-in anti-phishing protection.

Read more about U2F.

How is U2F better than receiving SMS codes?

SMS requires that you are able to receive text messages, which may be impossible under multiple conditions:

  • when traveling internationally

  • when working from areas with poor cell network reception

  • when your provider is having an outage

  • if your phone is out of battery

Additionally, SMS messages are not very protected and can be intercepted, spoofed, or misdirected.

Read more about downsides of SMS for 2-factor authentication.

How is U2F better than Google Authenticator?

Google Authenticator is a smartphone app that generates one-time passcodes that must be manually typed into a web form. It is an improvement over SMS, but still sometimes fails:

  • if your phone is out of battery

  • if time on your phone is out of sync

Additionally, it has important usability problems – as multiple sites are added to the smartphone app, it becomes increasingly difficult to find the right code to type in from a list of a dozen entries.

How does U2F help against phishing attacks?

When setting up U2F authentication, a unique site key is stored on the U2F device. Attempting to use it on phishing sites will not work because of the key mismatch.

Read more about U2F and phishing attack prevention.

Is it difficult to use?

No, all you will need to do is insert the security key into your computer USB port and press the flashing button when prompted.

You only need to do it about once a month (or when logging in from a new device).

If you cannot use your U2F device for some reason (for example, when logging in from a tablet or a smartphone), you will be able to continue to use Google Authenticator as your fallback mechanism.

What browsers support U2F?

  1. Google Chrome

  2. Firefox (requires manual enabling)

  3. Opera

If you are using Safari or some other browser, please consider switching to Chrome or Firefox for your work-related needs.

Where to get a U2F key?

If you are located in the San Francisco bay area, you can pick up your U2F device at The Linux Foundation office.

Otherwise, order yours online and reimburse it following the usual procedure:

You can purchase from Amazon or many other retailers as well. Please reimburse under "Office Supplies."
All Linux Foundation full-time staff is pre-approved for this purchase.

How to start using U2F?

Set up your U2F key with your LF Google account

You can just follow the steps in the video posted above, or do the following:

  1. Go to google.com and click on the circle in the topmost right corner (usually, your face or initials)

  2. Select "My Account"

    1. Make sure this is your Linux Foundation account, not your personal one

  3. Select "Signing in to Google"

  4. Select "2-step verification"

    1. You will be prompted to re-enter your password to continue

  5. Scroll to where it says "Add Security Key"

  6. Follow the prompts to set up your Yubikey

Set up authenticator app 2-step for fallback

You are no doubt worried what happens if you lose your yubikey, misplace it, or cannot access it for some reason. You can set up an Authenticator app on your phone as a fallback mechanism for accessing your Google account.

The process is exactly as above: choose "Add Authenticator App" and follow the instructions as provided by Google. You can alternatively set up the "Google Prompt" mechanism if your mobile device supports it, and if Google offers you that option. It's more convenient than having to manually type a code but still requires that you have a network connection in order to work.

This is the 2-step verification mechanism you should use when logging in from a smartphone, a tablet, or any other device that does not have a USB port.

Remove SMS method from your account

For maximum account security, you should remove SMS-based verification – leaving it enabled still allows an attacker to exploit SMS weaknesses to gain access to your account.

  1. Go to the "2-step Verification" page if you're not already there

  2. Click the pen icon next to "Voice or Text message"

  3. Click on "Remove Phone"

Need help?

As always, Helpdesk will be happy to assist you with any problems. Please contact Service Desk via support.linuxfoundation.org or drop into #it-support on Slack.

Other sites that support U2F

You can use the same YubiKey to set up 2-step verification on many other sites that support it, including your personal Google account. Some examples:

  • Facebook

  • Dropbox

  • GitHub

See dongleauth.info for a complete and updated list.

Using 1Password

Save your QR code

To save your QR code using 1Password in your browser

  1. Open and unlock 1Password in your browser.

  2. Select the Login item for the website.

  3. Click  and choose Scan QR Code.

To save your QR code in the 1Password apps

Instructions for

  1. Open and unlock 1Password.

  2. Select the Login item for the website, then click Edit.

  3. Click  Add More, then choose One-Time Password.

    You may need to scroll down to see these options.

  4. Click  to scan the QR code from your screen or clipboard.

    If you can’t scan the QR code, most sites will give you a string of characters you can copy and paste instead.

  5. Click Save.

To save your QR code on 1Password.com

  1. Sign in to your account on 1Password.com.

  2. Select the Login item for the website and click Edit.

  3. Click “label” in a new section, and enter “One-time password”.

  4. Click 

     to the right of the field and choose One-Time Password.

  5. On the website, choose to enter the code manually. Copy the code, then paste it in the One-Time Password field.

    If the website only supports QR codes, you’ll need to scan it using a 1Password app.

  6. Click Save.

Confirm your one-time password


To confirm that you’ve saved your QR code, the website will ask you to enter a one-time password. Copy and paste the code from 1Password.

Using Authy

Download Authy here: https://authy.com/download/

Due to Authy being a 3rd party provider, we cannot provide troubleshooting. Any and all support related requests for Authy should be directed to their support team here: https://support.authy.com/hc/en-us

Getting Started: https://support.authy.com/hc/en-us/articles/115001943608-Welcome-to-Authy-

Adding 2FAhttps://support.authy.com/hc/en-us/articles/360006303934-Add-a-New-Two-Factor-Authentication-2FA-Account-Token-in-the-Authy-App

Add a new 2FA account token on Android

Once you are logged into your online account and see the key or QR code, follow the below process to secure your account with 2FA.

  1. Open the Authy Android app.

  2. Tap the  (menu) icon in the upper right corner, and then select Add Account.

  3. Tap the desired option, and follow the prompts:
       - Scan QR Code: Use this option to scan a QR code with your device's camera.
       - Enter key manually: Use this option to manually type in a token code on your device.

  4. Select the icon (if desired) and enter an account name, then tap Done.

  5. You'll now see a new 2FA code for this account in Authy. Enter this code on your account page, and then submit it.

Add a new 2FA account token on Desktop - Linux, MacOS (OSX), or Windows

Notice: The Authy desktop app is not capable of scanning QR codes.

Once you are logged into your online account and see the key or QR code, follow the below process to secure your account with 2FA.

  1. Open the Authy desktop app.

  2. Click the + (plus) sign in the upper right corner.

  3. Enter the code from your desired account page, and then click Add Account.

  4. Enter the desired account name, select a logo and token digit length, and then click Save.
       NOTE: Check your account to see if a specific token digit length is called out. If you have trouble using your token, try again with a different token length.

  5. You'll now see a new 2FA code for this account in Authy. Enter this code on your account page, and then submit it.

Add a new 2FA account token on iOS

Once you are logged into your online account and see the key or QR code, follow the below process to secure your account with 2FA.

  1. Open the Authy iOS app.

  2. Tap the Red + sign at the bottom of the screen for Add Account.

  3. Tap the desired option, and follow the prompts:
       - Scan QR Code: Use this option to scan a QR code with your device's camera.
       - Enter key manually: Use this option to manually type in a token code on your device.

  4. Select the icon (if desired) and enter an account name, then tap Done.

  5. You'll now see a new 2FA code for this account in Authy. Enter this code on your account page, and then submit

Using Google Authenticator

Download Authenticator on your phone’s App Store: Google Authenticator

Important: To use Google Authenticator on your Android device, you need Android version 5.0 or up.

Set up Google Authenticator for your Google Account

  1. On your Android device, go to your 2-Step Verification settings for your Google Account.

    • You may need to sign in.

  2. Tap Set up authenticator.

    • On some devices, tap Get Started.

  3. Follow the on-screen steps.

Transfer your Google Authenticator codes

When you sign in to your Google Account within Google Authenticator on a new device, your codes are automatically synced to this device.

If you use Google Authenticator without a Google Account, you can still manually transfer your codes to another device.

To manually transfer Authenticator codes to a new device, you need:

  • Your old device with Google Authenticator codes

  • The latest version of the Google Authenticator app installed on your old device

  • Your new device

Steps to manually transfer Authenticator codes to a new device:

  1. On your new device, install the Google Authenticator app.

  2. In the Google Authenticator app, tap Get Started.

  3. Sign in to your Google Account.

  4. On your old device, create a QR code:

    • In the Authenticator app, tap Menu   Transfer accounts  Export accounts. You'll be asked to unlock your device.

    • Select the accounts you want to transfer to your new device.

    • Tap Next.

      • If you transfer more than one account, your old device may create more than one QR code.

  5. On your new device, tap Scan QR code:

    • In the Authenticator app, tap Menu   Transfer accounts  Import accounts.

    • Scan the QR code created on the old device.

After you scan your QR code, you’ll get confirmation that your Authenticator codes have been transferred.

Use Authenticator with multiple Google Accounts

Authenticator can sync codes for multiple Google Accounts and display them from the same mobile device.

To set up Authenticator with multiple Google Accounts:

  1. Set up Google Authenticator for your Google Account.

  2. At the top right corner of the home screen, tap your profile picture or initials.

  3. Tap Add another account.

  4. Select the account you want to add, or sign in to a new Google Account.

  5. When asked to start saving codes to the Google Account, tap Allow.

Edit your Google Authenticator codes

To edit your Authenticator code on Android, swipe left on any code to show the edit option. You can update the username for the code or change the associated Google Account where that code is saved.

Organize your Google Authenticator codes

To organize your Authenticator codes, touch and hold any code, then drag to reorder to a desired location.

You can also use the search bar to find the code you need. To search through your Google Authenticator codes, enter any text matching the username to find the code.

Delete your Google Authenticator codes

To delete an Authenticator code on Android, swipe right on any code to show the delete option.

You’ll be asked to confirm deletion. If you’ve synced your Authenticator codes to your Google Account, they’ll also be deleted from all devices where your codes are synced.