Account Security - Two-Step Verification

Shaun

Founder
Moderator
You can now enable two-step verification on your CycleChat forum account.

Two-step verification, also known as two-factor authentication, requires you to provide two pieces of information to login. The general form is expressed as "something you know and something you have". "Something you know" is your password. "Something you have" is the new part. You may have seen this with other services, such as Google accounts. If you're familiar with that, you'll understand how it works.

Two-step verification increases the security of your account by requiring you to provide an additional code to complete the login process. If your password is ever compromised, this verification will help prevent unauthorized access to your account.

https://www.cyclechat.net/account/two-step

There are two key methods available (you can enable both if you wish):
  • Verification Code via App - To receive verification codes via a phone app, you must first install a code-generating app such as Authy or Google Authenticator on your phone. Once you have done this, you will need to scan the QR code into the app and enter the generated code to confirm.

  • Email Confirmation - This will send a code via email to verify your login. Other two-step verification methods should be chosen over this if possible.

There is also a third method that is automatically enabled when either of the methods above are enabled: Backup Codes. These are designed to be saved for emergencies when you can't verify your login through any other method (if you don't have your phone, for example). Each backup code can be used once and you will be sent an email whenever a backup code has been used.

Two-Step Verification: Login

After verifying your password, you'll be taken to a page that requests the two-step verification code for whichever method you have enabled (and will advise which one if you have both methods enabled).

This also gives you the option to trust this device for 30 days. You may be familiar with this approach with other two-step verification systems. If you trust this device, you can log out and log in without being prompted to complete two-step verification for 30 days. This helps to mitigate the annoyance that two-step verification can create.

Once the 30 days are up, you will be prompted to complete the two-step verification again (even if you have chosen to stay logged in).

In the event that you want to stop trusting a device or you need to revoke that trust for other devices, you can do this from the two-step verification setup page in your account.

Two-Step Verification: Losing Access

A common concern with two-step verification is what happens if you lose access to all of your two-step verification methods. The system attempts to mitigate this as follows:
  • Backup codes are generated for this exact situation. If you lose your phone or your email is no longer valid, the backup codes will still work. However, you must save them once they are generated for them to be of any use.

  • Disabling two-step verification only requires access to the password when you're already logged in. If you choose to trust a device, this very likely means that you will still have access to your account. Once you verify your password, you will be able to change your two-step verification settings as necessary.

  • Finally, I can disable your current two-step verification if all else fails (use the site contact form to get in touch).

Cheers,
Shaun :biggrin:
 
Top Bottom