Two-Factor Authentication Setup

1. "Enable Two-Factor Authentication" now available via Select Site > My Site > Administration > Info, or roster "modify" action (shown later).

   

2. To enable two-factor auth, the user has to confirm access to their account via the following form. This form grants access to so-called "restricted account actions" for a limited time. When two-factor auth is enabled, this form is also required for changing passwords and email addresses, and will include fields for authenticator code and recovery code.

   

3. Two-factor auth setup screen:

   

   

4. Option to print recovery codes:

   

5. The user is required to input the current authenticator code in order to complete the setup. This ensures that they have actually completed the setup successfully.

   

6. If the user takes more than 5 minutes to complete the setup, they'll have to re-confirm their account access:

   

7. Incorrect authenticator code error:

   

8. Two-factor auth setup successfully! "Disable Two-Factor Authentication" and "Create New Recovery Codes" actions now available. The latter can be used if the user loses their recovery codes.

   

9. Email sent upon successful setup:

   

10. Create New Authenticator Recovery Codes form:

    

11. New recovery codes screen. The content here is a subset of what was shown on the setup screen, with the same instructions and copy/download/print options.

    

12. Email sent upon creation of new recovery codes:

    

13. Login screen remains the same whether two-factor auth is enabled or not:

    

14. If the user has two-factor auth enabled, they will see this form, which is required to complete the login. The user can enter an authenticator code or recovery code. Recovery codes can only be used once.

    

15. Invalid authenticator code error:

    

16. Invalid recovery code error:

    

17. If the user takes more than 5 minutes to enter their authenticator/recovery code, they have to complete the initial login step again:

    

18. Login via Authenticator Code:

    

19. Login via Authenticator Recovery Code:

    

20. Authentication Recovery Code accepted:

    

21. Cannot use the same recovery code again:

    

22. If the user only has one recovery code left, we generate more recovery codes:

    

23. To disable two-factor auth, the user is required to confirm their account access, which now requires an authenticator/recovery code:

    

24. Confirm disablement:

    

25. Disabled successfully:

    

26. Email sent upon two-factor auth disablement:

    

27. Note that long-term, changing passwords and email addresses should result in an email being sent to the user (to both new email address and old, in the case of changing the email address), but I haven't made that change yet.

    Two-factor functions also available for the logged-in member in the roster member "modify" action:

    

28. Also, club admins that have two-factor enabled themselves are allowed to disable two-factor for club members. This should provide a good way for users to resolve losing access to their authenticator and recovery codes on their own:

    

29. Confirm disablement for member:

    

30. Disabled successfully:

    

    email support@bivio.com