====== Two-Factor Authentication ======

===== General =====

  * A two-factor authentication (2FA) can be configured using a mobile app. Then a Time-based One-Time Password (TOTP) application can be used, that automatically generates an authentication code. That code changes after a certain period of time.
  * To configure authentication via TOTP on multiple devices, during setup, scan the QR code using each device at the same time.
  * If 2FA is already enabled and you want to add another device, you must re-configure 2FA from your security settings.


===== Enabling Two-Factor Authentication =====

==== Download the Authenticator App ====

Any authenticator app should work with Friendica.
Nonetheless, we recommend:

  * For iOS [[https://mattrubin.me/authenticator|Matt Rubin's MIT-licensed Authenticator app]]
  * For Android [[https://github.com/andOTP/andOTP|andOTP]]
 

==== Record your One-Use Recovery Codes ====

From your two-factor authentication user settings (''/settings/2fa'' on your node), enter your password and click on "Enable two-factor authentication".

You will be presented with a list of one-use recovery codes.
Please save those in the same place you are saving your Friendica password (ideally, in a password manager like [[https://keepass.info|KeePass]]).

When you're done, click on "Next".

==== Setup your Authenticator App ====


You have three methods to setup your authenticator app:

  - Scan the QR Code with your device camera. This will automatically configure your account on the app.
  - Click/tap on the provided '' totp:%%/%%/URl''. Ideally your authenticator app should be called with this URL and set up your account
  - Enter your account settings manually. Friendica is using default settings for token type, code digit count and hashing algorithm but you may be required to enter them in your app.

**Important**: If you have multiple devices, configure them all at this point.

Then verify your app is correctly configured by submitting a code provided by your app.
This will conclude two-factor authentication configuration.

**Note:** If you leave this screen at any point without having submitted a verification code, two-factor authentication won't be enabled on your account.
To complete the configuration, just come back to your [two-factor authentication user settings](/settings/2fa) and click on "Finish configuration" after entering your current password.

===== Disabling Two-Factor Authentication =====

You can disable two-factor authentication at any time by going to your [two-factor authentication user settings](/settings/2fa) and click on "Disable two-factor authentication" after entering your current password.

You should remove your Friendica account from your authenticator app as it won't work again even if you reenable two-factor authentication.
In this case you will have to configure your authenticator app again using the process above.

===== Managing your One-Time Recovery Codes =====


When two-factor authentication is enabled, you can show your recovery codes, including the ones you've already used.

You can freely regenerate a new set of fresh recovery codes, just be sure to replace the previous ones where you saved them as they won't be active anymore.

===== Third-Party Applications and API =====


Third-party applications using the Friendica API can't accept two-factor time-based authentication codes.
Instead, if you enabled two-factor authentication, you have to generate app-specific randomly generated long passwords to use in your apps instead of your regular account password.

**Note**: Your regular password won't work at all when prompted in third-party apps if you enabled two-factor authentication.

You can generate as many app-specific passwords as you want, they will be shown once to you just after you generated it.
Just copy and paste it in your third-party app in the Friendica account password input field at this point.
We recommend generating a single app-specific password for each separate third-party app you are using, using a meaningul description of the target app (like "Frienqa on my Fairphone 2").

You can also revoke any and all app-specific password you generated this way.
This may log you out of the third-party application(s) you used the revoked app-specific password to log in with.