Two-factor authentication

Tagged in
- security

Two-factor authentication lets you protect your account in a strong way.

With two-factor authentication enabled, logging in to your account works a bit differently than usual: you enter your password and a secure code generated by your mobile device. Stealing your password isn’t enough for an attacker to get access to your Exoscale account.

This method combines the security of something you know (your password) and something you have (your mobile device that generates secure codes).

Set up

From the top ACCOUNT drop-down menu, go to ACCOUNT DETAILS and then click on the Password and Security tab.

Click on Set up two-factor verification.
Enter your Account password
Scan the QR code with your device’s authenticator app, or enter the code in the app
Your app will give you another code to enter in the form
Enter the code as requested and submit it
You will be presented with a confirmation window if the code has been successfully entered and with a set of backup codes.
ENSURE YOU SAVE THE BACKUP CODES
you should be all set

If you don’t have an authenticator app yet, here are a few possibilities:

for Android: FreeOTP
for Android, iOS, and Blackberry: Google Authenticator
for Android and iOS: Duo Mobile
for Windows Phone: Authenticator
for Linux/BSD/OS X: OATH Toolkit (with oathtool --totp -b yoursecret)

Implications

Once Two-factor authentication is enabled you are fully responsible for maintaining your Authenticator App active, safely store your TOTP secret, and safely store your backup codes.

In case your Authenticator App is lost (phone change, stolen devices, etc.) the backup codes will allow you to access your account and reset Two-factor authentication.

If you have no backup codes and you are locked out from your account you can contact our support desk as last resort.

At Exoscale we take your account security extremely seriously, and we will need to authenticate you with a high degree of confidence. Just writing to the support desk from your registered email will not be enough.

We strongly encourage you to load your public SSH key to your account. If an RSA public key is registered in your private account, we will send you the digest of a challenge, expecting it to be signed with your private key. Using the public key registered on your account, we will verify the signed digest and act on the account reset request if verification succeeded.

We strongly encourage you to save a phone number on your account. If a phone number is present in the account, we will send a challenge to the phone number and act on the request if the correct challenge is sent back to us in the account reset request.

If those methods are unavailable or fail, there will be no action on our side and you will be not able to access your account any more.