Using Two-Step Verification (aka 2FA) to make your account more secure and private

Welcome to Wondercafe2!

A community where we discuss, share, and have some fun together. Join today and become a part of it!

Register Log in
Status
Not open for further replies.
Mendalla

Mendalla

Happy headbanging ape!!
Pronouns
He/Him/His
One of the most important security measures on the Internet today is 2-Factor Authentication, 2FA for short. You may have used this already. It is when you log in to a site with your username and password, and then they text or email you a code that you have to enter. What this does is add a second layer of identification, the second factor. Now the site not only knows you know the password, but they know you have access to the email address or cell phone you set up in your account. Another way, more secure, way of doing 2FA is using an authenticator app (e.g. Google Authenticator). This generates the code right on your device, verifying that you are in possession of the device that you registered when you set it up.

(Note: Back in the old pre-smartphone days, this was done with a dedicated key-chain-type token that you had to carry around. Some high security operations still use these.)

2-Factor Authentication is available on Wondercafe2 via the Xenforo software platform in two forms:

- Authenticator app (more secure)
- Email (less secure, but better than no 2FA)

In my subsequent posts, I will tell you how to set up each.

Given the nature of this site, 2FA is not really a necessity, but it does protect you from having personal information (such as the email address you use on the site) accessed or your account being used for trolling or spamming by a hacker. I certainly encourage the use of 2FA anywhere you can use it. I have had it enabled for a while now, both here and on other Xenforo sites where I am active.
 
Last edited:
Setting up 2FA using an authenticator app
  1. Install an authenticator app on your tab or phone from your device's app store (I use Google Authenticator, but Microsoft has one, too)
  2. Log in to Wondercafe2
  3. Click on your avatar/username in the top right to get the user settings
  4. Click on "Password and security"
  5. Under "Two-step verification" (another name for 2FA), it should show Disabled and a Change button. Click the button.
  6. Enter your password when prompted.
  7. Next to "Verification Code via app" click Enable
  8. In your app (basing this on Google Authenticator, but MS is similar), click + to add a site
  9. Tap Scan QR Code and point your device camera at the QR Code (Square symbol) on the screen
  10. Once it scans, enter the six digit verification code generated by the app into the box labelled "Verification Code" under the QR Code.
  11. When the backup codes are displayed, copy them to a program like Windows Notepad and save the file with a suitably obscure name, These are needed if you lose access to your device. Click "I have saved the backup codes" when you have done this.
Using 2FA with an authenticator app
  1. Login to Wondercafe2 with your username and password as usual
  2. When prompted for a verification code, open the app on your device and enter the code being displayed.
  3. Check "Trust this device for 30 days" if you want to be prompted for 2FA less often. This is per device so if you access WC2 from a phone and a computer or two different computers, you may still get prompted on the other device until you have trusted it for 30 days as well.
  4. Click Confirm.
Note that the codes regenerate every minute or so, which is part of what makes this secure. If they change while you are entering the code, keep entering the old code. It will still be recognized for a time even though it is no longer displayed in the app.
 
Setting up 2FA using email
  1. Log in to Wondercafe2
  2. Click on your avatar/username in the top right to get the user settings
  3. Click on "Password and security"
  4. Under "Two-step verification" (another name for 2FA), it should show Disabled and a Change button. Click the button.
  5. Enter your password when prompted.
  6. Next to "Email Confirmation" click Enable
  7. Go to the email address you use for Wondercafe2 and there should be a message there with a six digit code
  8. Enter the code in "Email Confirmation Code" and click Confirm.
  9. When the backup codes are displayed, copy them to a program like Windows Notepad and save the file with a suitably obscure name, These are needed if you lose access to your device. Click "I have saved the backup codes" when you have done this.
Using 2FA with an email code
  1. Login to Wondercafe2 with your username and password as usual
  2. When prompted for an email confirmation code, go to your email and enter the six digit code that was emailed to you
  3. Check "Trust this device for 30 days" if you want to be prompted for 2FA less often. This is per device so if you access WC2 from a phone and a computer or two different computers, you may still get prompted on the other device until you have trusted it for 30 days as well.
  4. Click Confirm.
Emailed codes are good for 15 minutes. After that, you will have to log in again to get a new code.

For this to be secure, you must use a different password for Wondercafe2 than for your email account and, ideally, have 2FA of some kind on the email account (Google has several options available for GMail, for instance). Otherwise, both can be compromised, allowing the attacker to obtain the confirmation codes.
 
Last edited:
To deactivate 2FA or make changes
  1. Log in to Wondercafe2
  2. Click on your avatar/username in the top right to get the user settings
  3. Click on "Password and security"
  4. Under "Two-step verification" (another name for 2FA), it should show Enabled with the method chosen in brackets and a Change button. Click the button.
  5. Enter your password when prompted
  6. To completely turn off Two-step Verification, click the button labelled "Disable Two-Step Verification" at the bottom
  7. To change method, click DIsable next to the current method and the Enable next to the other, then follow the appropriate steps above
  8. If you use an app and get a new phone or tab, click Manage next to "Verification code via app", then check the "Regenerate secret for a new device" checkbox. This will take you back to step 8 in the instructions for setting up "Verification code via app" two posts above.
  9. If you use email and change the email address on your account, you will have Disable and then Enable "Email Confirmation".
 
That is enough to get you going. If you have questions, or need help with something I have not covered like how to use the backup codes, start a thread in Tips & Techniques or drop me a conversation.
 
Status
Not open for further replies.
Back
Top