Two-factor authentication (also known as multi-factor authentication) adds an extra layer of security to your Impact Stack installation.
When two-factor authentication is enabled, you log in with your username and password, and also a 6 digit number that is regularly re-generated on your phone. That means that somebody else would have to know or guess your username and password and also have access to your phone to log in with your account.
Remember that somebody who managed to log in to your Impact Stack could do everything you can do when you log in to Impact Stack. That includes accessing and deleting supporter data (including email address, name, and any other form data you ask for), creating and deleting actions, creating and deleting admin users and so on. Using two-factor authentication reduces this risk.
You can email support to ask to enable two-factor authentication and, optionally, to make it required for every user to set up two-factor authentication.
Go here for instructions on setting up two-factor authentication on Nextcloud (files.impact-stack.org).
How to set up two-factor authentication on Impact Stack
- Install an app on your phone for two-factor authentication. Some examples are Authy (Android / iOS), Google Authenticator (Android / iOS), and Microsoft Authenticator (Android / iOS)
- Go to your 'user' page at your Impact Stack URL with /user at the end, eg https://YOUR-IMPACT-STACK-ADDRESS.com/user. Then click the 'Security' link in the top-right corner.
- Click the 'Set up application' link at the bottom of the grey box
- Confirm your password
- On the page with the title "TFA setup - Application", scan the QR code with your authenticator app. It might take a second for the QR code to generate. Alternatively, you can paste the long text code into your authenticator app.
- Your authenticator app will generate a 6 digit number. Enter those 6 digits into the "Application verification code" field. Click the "Verify and save" button. (Those 6 digits will regenerate every 30 seconds. If you get an error, you might have used a previous code. Try again with the current code.)
- Mark the current browser you're using as trusted by clicking the "Save" button. This will mean you won't have to enter the 6 digit number for the next 30 days on this browser. You will have to add the 6 digits if you use another browser to log in.
- Save the recovery codes somewhere, such as in a password manager. Then click the "Save" button. You can use one of these recovery codes to login instead of a code from your authentication app. This can be useful if you lose your phone. But remember that somebody could use one of these recovery codes to help them log in with your account.
- Done. You can test that two-factor authentication is fully working by using a different browser or a private window to log in at your Impact Stack URL with /user at the end, eg https://YOUR-IMPACT-STACK-ADDRESS.com/user. Enter your username and password and then you should be asked to enter the 6 digit code.
If you are not asked for the 6 digit code when you're testing, make sure you’re using a private window or a different browser to the one you used to set up two-factor authentication. If you just chose to Trust your browser then Impact Stack won't ask you for your 6 digit code on that browser for 30 days.
Now, somebody who wanted to get into your account would need your username, your password, and either A) one of your recovery codes or B) access to your authenticator app on your phone. So think about how to reduce the risk of A and B. You can store recovery codes and passwords in a password manager. Examples of password managers include 1Password, LastPass, and Bitwarden.