In the coming product update of the Toolbox, we will introduce two-factor authentication (2FA).
We are pleased to provide it to you as it was one of the most requested features.
What is 2FA?
While the standard way to login on any service is to use your email and password (1st factor of authentication), some people prefer to add a second layer of security called the second-factor of authentication.
2FA is the acronym for that two-factor authentication factor.
How is two-factor authentication working on dissident?
The classic way for 2FA is to use the phone number of the user and send the validation code via SMS. Because privacy is essential for us, we don't want to collect any data that isn't necessary.
We've opted for the TOTP protocol (https://medium.freecodecamp.org/how-time-based-one-time-passwords-work-and-why-you-should-use-them-in-your-app-fdd2b9ed43c3) solution, which is supported by the most popular smartphones' authenticator apps (DUO, Authy, Google authenticator ). Each time you log in, you'll be asked to enter a code generated by the app.
How can you activate 2FA on your account?
To activate 2FA, you need to follow the following steps:
• On any of our apps, go to the setting page (it is accessible after clicking on your profile picture in the top right corner)
• Click on the "Security" tab.
• Scan the QR code with an authenticator app on your phone, or manually entered the code provided.
• Enter the code provided by the authenticator app.
It is as simple as that. Now, each time you will want to sign-in using your email and password, a six digits code will be asked. Your authenticator app will provide it to you.
Why Is the 2FA code not asked after login in with Google or Facebook?
To access your Toolbox, you can also sign in with tiers services like Google or Facebook but, even after activating 2FA, we won't ask for the 2FA code when logging in with those services.
Google and Facebook both include 2FA, and we don't want to add this factor as it might be redundant with those services authentication.
If you want to improve the security of the login through those services, you should activate 2FA directly on Google and/or Facebook.
What are the recovery codes displayed in the "Security" setting page?
After activating 2FA on your account, a list of recovery codes will be displayed in the "Security" setting page.
These codes can be used when you don't have your phone with you. Each code is one-time use only. You can generate as many as you want, but it is imperative that you keep or print at least one in a safe place
If you lost your authentication app and didn't save your recovery codes, you won't be able to login to your account anymore with your email. If you didn't select a second login method like Facebook or Google login, your dissident account would be lost and our support won't be able to help you.