Two-factor authenticating... here


#1

Editing my profile here on this very support site, I see there is a basic way to enable two-factor authentication prebuilt in the website CSM, basically involving proprietary phone apps.

This led me to think, some day with plenty of time (i. e. if you are like me…never, but anyway!) it’d be cool to propose authenticating here with your very own Nitrokey

That’d be a very efficient exercice, end-to-end, to propose for new users :wink:

“Want to try straight here, right now? Plug your Notrokey and let’s be started…”


#2

I do wholeheartedly support that! :grinning:


#3

Hey,

actually it is working out of the box! As the procedure is indeed quite classy, I decided to go with your proposal and improved the instructions on our website by adding a generic guide based on this forum as an example.

Please let me know what you think about it!

Kind regards
Alex


#4

Thank you!

  1. it works like a charm
  2. the guide is very clear; maybe you could reduce the size of the screen copies to make the page shorter, frame them (so it’s clear they are images and there is no confusion posslble with the very same elements around them that actually are part of the active webpage) and, also, show a screencopy using the menu from the menubar rather than from the big window, like this :from%20menubar

#5

Thank you for your feedback! I tried to adapt some of your tips!


#6

Hello,

thanks for the procedure, it works for me.

Just a point: what about if I lose my key? yes, I posted some questions for this case, but in a general situation. Here we have a specific known one :slight_smile:
This forum’s recovery password mechanism works only for a missing main password ; in such a case the second factor auth. is required.
But did you implement something for the opposite case: the nitrokey is lost (and not mandatory the main password) ?

Thank you in advance.

Regards,

Gilles


#7

Hi,

we did not implement anything special. The software we are using for the forum is called discourse. It is not uncommon, that there is no recovery option for the OTP login afaik. I didn’t tried the recovery for discourse yet, being honest. Generally, the safest would be to save the secret code itself securely. But then you have a copy of the secret code. So make sure that this is stored securely.

Kind regards
Alex


#8

Hi
ok, so as I can’t reveal the secret code (the one provided by the web app, let’s say) from the NitroKey App interface (windows 10) , I need to backup it when I activate the service. After, it’s to late, as I do not have any way to know it.
And if I lose the key, and if I have my secret… what can I do ? Using a TOTP functionality of KeepassXC with my secret code to recover my access could be a solution, or I need to wait to buy/receive my new NitroKey Pro key ?

Gilles


#9

Hey Gilles,

everything you said is correct. You need to backup beforehand (as you can’t get the secret code afterwards) and you can use it in any application/device using the TOTP standard.

Kind regards
Alex


#10

Thank you Alex.
I would suggest to update the procedure you created

You may create a backup of it (in case the Nitrokey get lost or breaks) by writing it down on a sheet of paper and storing it securely

by putting the stress on the need to backup it. Now it’s created, I can’t do it anymore, I’m sad of that :’( (even if the forum interface proposes 10 backup codes. I guess those ones should also be stored securely.) “May” could be replaced by “must” Just my advice :slight_smile:

Gilles


#11

Hi Gilles,

I am not sure about it. I think other people would advice to not write it down. Therefore, I don’t want to put a must in it. Or maybe I put in something like “you must create a backup now if you need one”…

Kind regards
Alex


#12

Ah, and you can just deactivate 2fa now and reconfigure it to have a backup! :wink:


#13

Too simple… Thanks Alex.