Two-factor authentication
Two-factor authentication lets you protect your account in a strong way.
With two-factor authentication enabled, logging in to your account works a bit differently than usual: you enter your password and a secure code generated by your mobile device. Stealing your password isn’t enough for an attacker to get access to your Exoscale account.
This method combines the security of something you know (your password) and something you have (your mobile device that generates secure codes).
Set up
From the top ACCOUNT
drop-down menu, go to ACCOUNT DETAILS
and then click on the
Password and Security
tab.
- Click on
Set up two-factor verification
. - Enter your Account password
- Scan the QR code with your device’s authenticator app, or enter the code in the app
- Your app will give you another code to enter in the form
- Enter the code as requested and submit it
- You will be presented with a confirmation window if the code has been successfully entered and with a set of backup codes.
- ENSURE YOU SAVE THE BACKUP CODES
- you should be all set
If you don’t have an authenticator app yet, here are a few possibilities:
- for Android: FreeOTP
- for Android, iOS, and Blackberry: Google Authenticator
- for Android and iOS: Duo Mobile
- for Windows Phone: Authenticator
- for Linux/BSD/OS X: OATH Toolkit (with
oathtool --totp -b yoursecret
)
Implications
Once Two-factor authentication is enabled you are fully responsible for maintaining your Authenticator App active, safely store your TOTP secret, and safely store your backup codes.
In case your Authenticator App is lost (phone change, stolen devices, etc.) the backup codes will allow you to access your account and reset Two-factor authentication.
If you have no backup codes and you are locked out from your account you can contact our support desk as last resort.
At Exoscale we take your account security extremely seriously, and we will need to authenticate you with a high degree of confidence. Just writing to the support desk from your registered email will not be enough.
We strongly encourage you to load your public SSH key to your account. If an RSA public key is registered in your private account, we will send you the digest of a challenge, expecting it to be signed with your private key. Using the public key registered on your account, we will verify the signed digest and act on the account reset request if verification succeeded.
We strongly encourage you to save a phone number on your account. If a phone number is present in the account, we will send a challenge to the phone number and act on the request if the correct challenge is sent back to us in the account reset request.
If those methods are unavailable or fail, there will be no action on our side and you will be not able to access your account any more.