Enabling Multifactor Authentication

From DreamHost
(Redirected from MultifactorAuth FAQ)
Jump to: navigation, search

Overview

Multifactor Authentication is an effective solution that increases the security of your account. It requires the following:

  • The first layer is your username and password.
  • The second layer requires a one-time pass code which you enter before you can gain access to your DreamHost account.

This second layer of security helps protect your account from hackers and website hijackers, and DreamHost is proud to provide you with the choice to use either the Google Authenticator app or a Yubikey with the panel. This article explains how to enable this feature in your panel. For further details, review the FAQs section towards the bottom of this page.

Google Authenticator

The Google Authenticator app was chosen because it's free and widely available on Android, iOS/Apple, BlackBerry, or Windows mobile devices, and other third party APIs/Apps. For example:

Full details of Google’s security method and implementations can be found here:

Google Authenticator is particularly useful with mobile tablets/phones with a cellular or internet connection. In the event of a lost or disconnected mobile device, Google Authenticator also provides a list of non-expiring backup codes (during the initial configuration) that can be used. Outside of the Google Authenticator app, SMS text message or voice calls can be used to obtain the 2nd layer code.

Getting the Google Authenticator App

Before you can enable Multifactor Authentication on your DreamHost account, you'll need to install the Google Authenticator app on your smartphone or tablet device.

Note2 icon.png Note: If you already have the Google Authenticator app on your smartphone or tablet device, you just need to click the "+" in the lower right corner (iOS) or open the settings for the app and click "Add account" (Android). Then proceed to the next section of this walkthrough.


Google's official documentation on downloading and installing the app can be found here:

http://support.google.com/accounts/bin/answer.py?hl=en&answer=1066447

The app can be downloaded from your device's App Store (or use Google's direct link for BlackBerry):

Enabling MFA in the panel for Google Authenticator

  1. Navigate to the (Panel > ‘Billing & Account’ > ‘Security’) page.
    The second section on that page is titled 'Multifactor Authentication':
    01 MFA.png
    • Current Password: Enter your DreamHost account password.
    • Multifactor Authentication Type: Click the dropdown menu to choose which of the two Google methods you’d like to use:
    - Google Authenticator, Time-Based (recommended)
    - Google Authenticator, Counter-Based
    Note2 icon.png Notes: *DreamHost recommends time-based one-time passcodes. Time-based codes provide better protection against phishing and keyloggers since each code is only valid for a short amount of time. Time-based codes also automatically stay in sync with DreamHost’s servers, as opposed to counter-based codes which require manual syncing.
    • If you use counter-based codes, you will need to press the refresh button next to the code in the Google Authenticator App each time you use it to advance it to the next code.


  2. Click the Get Started button.
    You will now see a QR Code and a 16-digit Secret Key that you will need to activate Multifactor Authentication:
    02 MFA.png
  3. Use the Google Authenticator App to scan the QR code.
    • If your device does not have a camera, you can instead enter the 16-digit Secret Key shown below the QR code into the app manually.
    • If you have more than one device running Google Authenticator, scan the QR code or enter the key on every device that you want to use with your DreamHost account.
  4. When the Google Authenticator app displays a 6-digit passcode, enter it in the Passcode field.
    • If you are using counter-based codes, you may need to press the refresh button to display the first code.
  5. Click the Activate! button and and DreamHost’s server will be synced to your device.
    You will see a ‘Success!’ confirmation box appear:
    04 MFA.png
    Important icon.png Important: Save the backup codes presented in the ‘Success!’ dialog box. If you suspect your account may be compromised (for example if you have lost your phone or mobile device), and you're using Google Authenticator, you can use the Regenerate Key button to invalidate the old key and create a new one.


YubiKey

YubiKey was chosen because it's a small, low cost, and a durable USB hardware device with open source customization support for Windows, Mac, and Linux. Many companies and governments, including Google and the US Department of Defense, use YubiKey as an industry security standard for 2nd layer verification. Yubico hardware engineering and manufacturing is only conducted in the USA and Sweden to prevent device cloning and to mitigate the risk of exposure of its confidential design. In addition to using YukiKey with your DreamHost panel, it can also be used for securing access to a wide range of applications. For example:

  • Remote access
  • VPN
  • Password managers
  • Computer login
  • CMS and popular online services

Most third party support for Google Authenticator is also supported for YubiKey. YubiKey is the affordable, hardware-based alternative to having a mobile phone/tablet with an internet connection. For example, YubiKey would be useful for remote locations where cellular service/internet is not available (network admins in a basement, government employees, etc). As of 2015, YubiKey has a few product versions:

  • Standard model (estimated price $25)
  • Small usb form factor (Model: Nano $40)
  • NFC wireless technology (Model: Neo $50)

All these products can be purchased at the Yubico store.

Getting A YubiKey

If you choose to use a YubiKey to secure your DreamHost account, you'll need to get the hardware first. Click here to purchase a YubiKey.

You'll need to make sure your YubiKey is configured to use "Yubico OTP". It should come preconfigured this way, but if you need to set it up yourself download the Cross-Platform Personalization Tool to re-program it.

  1. Plug in your YubiKey, and then open up the personalization tool.
  2. Click on Yubico OTP in the upper left corner.
  3. Click on Quick.
    You should see something like the following:
    06 MFA.png
  4. Select the 'Configuration Slot 1' radio button.
  5. Click the Write Configuration button to give your YubiKey the new configuration.
  6. Click the Upload to Yubico button to tell Yubico's verification servers about your key's new configuration.

Enabling MFA in the panel with YubiKey

  1. Navigate to the (Panel > ‘Billing & Account’ > ‘Security’) page.
    The Multifactor Authentication section appears in the second section on the page:
    07 MFA.png
  2. Enter the following:
    • Current Password: Enter your DreamHost account password.
    • Multifactor Authentication Type: Click the dropdown menu to choose YubiKey.
  3. Click the Get Started button.
    You won't see any QR code or secret key. There is only a field to enter a passcode:
    03 MFA.png
  4. Plug in your YubiKey, and then touch the disk. It should type 44 letters in the "Passcode" field.
  5. Click the Activate! button and DreamHost’s server will be synced to your device.
    You will see the following ‘Success!’ confirmation box appear:
    04 MFA.png

Changes to the panel login page

Once you've enabled Multifactor Authentication, you'll notice changes to the panel Log In screen. It will appear like this:

05 MFA.png

You will now see two fields:

Multifactor Authentication Code: Enter the 6-digit passcode generated by your mobile device.
Remember this computer?: From this dropdown menu, choose how long you wish your computer to store this code. The three options are:
  • Don’t remember
  • Remember for 1 week
  • Remember for 1 month

Changes when logging in from a new computer

Multifactor Authentication uses browser cookies to function, so if you try to log in from a new computer that has never logged in to your DreamHost panel before, the Multifactor Authentication Code field will not initially be visible, and your first log in attempt will fail. After that first attempt, DreamHost will identify your account and make the Multifactor Authentication Code field visible so that you can log in.

Recovering your account with Multifactor Authentication

If you lose your Google Authenticator device, you will need to use a backup code or write in to support to regain access to your account. If you forget your password but still have your Google Authenticator device (or a valid backup code), you can still click on the ‘forgot password?’ link on the log in page, or click the link below:

When you click this link, a form opens that asks for your email address. Once you submit the form, DreamHost sends you a link that you can use to reset your password, as long as you still have your second authentication factor available.

FAQs

What is Multifactor Authentication?

Authentication is the fancy word for what happens when you log in to a website. Normally, after you identify yourself with your username or email address, the website asks for one piece of information to authenticate you which is your password.

Multifactor Authentication takes this to another level and asks for one or more additional pieces of information to successfully authenticate you. Usually these extra factors go beyond just something you know (such as a password) and use something you have (like an ID card) or something you are (your fingerprint or a retinal scan, perhaps). Without all the required factors, you won't be able to log in to the website.

Why Would I Want Multifactor Authentication?

Requiring these different kinds of factors for authentication makes it much harder for people to pretend to be you. Not only do they need to figure out your password, they also need to steal your ID card or fake your fingerprint. Accounts protected with Multifactor Authentication are usually much safer than those protected with only a password. In short, Multifactor Authentication can help combat fraud and protect you.

What types of Multifactor Authentication can I use with the DreamHost Web Panel?

DreamHost supports using the following options:

  • One-time passcodes generated with the Google Authenticator app. This app must be installed on your smartphone or mobile device.
  • YubiKey which is a hardware token that plugs into a USB slot and types out a passcode.

What if I don't have a Smartphone or other Mobile Device?

You must purchase a YubiKey instead. If you'd like to see more options become available, please add a Suggestion at the DreamHost User Forum.

Doesn't Remembering a Computer Defeat the Purpose of Multifactor Authentication?

Not really. When you choose to remember a computer, you haven't disabled Multifactor Authentication, you've just told the server that a particular computer can be used as the second form of authentication rather than a one-time pass code.

The purpose of Multifactor Authentication is to make it harder for someone to steal all the information needed to log in to your account. On public computers, such as those at a library or internet café, you don't know if it has a keylogger installed that's saving your username and password. If you are required to enter your one-time pass code on that computer, other people still cannot log in to your account even if they've stolen your username and password.

On the other hand, if you're sitting safely at home and using the computer you had DreamHost remember, and then get tricked into giving your username and password to a phishing site who intends to misuse that information, the phishers won't be able to log in to your account because their computer isn't remembered and they still need to use a one-time password.