====== Two-Factor Authentication ====== ===== General ===== * A two-factor authentication (2FA) can be configured using a mobile app. Then a Time-based One-Time Password (TOTP) application can be used, that automatically generates an authentication code. That code changes after a certain period of time. * To configure authentication via TOTP on multiple devices, during setup, scan the QR code using each device at the same time. * If 2FA is already enabled and you want to add another device, you must re-configure 2FA from your security settings. ===== Enabling Two-Factor Authentication ===== ==== Download the Authenticator App ==== Any authenticator app should work with Friendica. Nonetheless, we recommend: * For iOS [[https://mattrubin.me/authenticator|Matt Rubin's MIT-licensed Authenticator app]] * For Android [[https://github.com/andOTP/andOTP|andOTP]] ==== Record your One-Use Recovery Codes ==== From your two-factor authentication user settings (''/settings/2fa'' on your node), enter your password and click on "Enable two-factor authentication". You will be presented with a list of one-use recovery codes. Please save those in the same place you are saving your Friendica password (ideally, in a password manager like [[https://keepass.info|KeePass]]). When you're done, click on "Next". ==== Setup your Authenticator App ==== You have three methods to setup your authenticator app: - Scan the QR Code with your device camera. This will automatically configure your account on the app. - Click/tap on the provided '' totp:%%/%%/URl''. Ideally your authenticator app should be called with this URL and set up your account - Enter your account settings manually. Friendica is using default settings for token type, code digit count and hashing algorithm but you may be required to enter them in your app. **Important**: If you have multiple devices, configure them all at this point. Then verify your app is correctly configured by submitting a code provided by your app. This will conclude two-factor authentication configuration. **Note:** If you leave this screen at any point without having submitted a verification code, two-factor authentication won't be enabled on your account. To complete the configuration, just come back to your [two-factor authentication user settings](/settings/2fa) and click on "Finish configuration" after entering your current password. ===== Disabling Two-Factor Authentication ===== You can disable two-factor authentication at any time by going to your [two-factor authentication user settings](/settings/2fa) and click on "Disable two-factor authentication" after entering your current password. You should remove your Friendica account from your authenticator app as it won't work again even if you reenable two-factor authentication. In this case you will have to configure your authenticator app again using the process above. ===== Managing your One-Time Recovery Codes ===== When two-factor authentication is enabled, you can show your recovery codes, including the ones you've already used. You can freely regenerate a new set of fresh recovery codes, just be sure to replace the previous ones where you saved them as they won't be active anymore. ===== Third-Party Applications and API ===== Third-party applications using the Friendica API can't accept two-factor time-based authentication codes. Instead, if you enabled two-factor authentication, you have to generate app-specific randomly generated long passwords to use in your apps instead of your regular account password. **Note**: Your regular password won't work at all when prompted in third-party apps if you enabled two-factor authentication. You can generate as many app-specific passwords as you want, they will be shown once to you just after you generated it. Just copy and paste it in your third-party app in the Friendica account password input field at this point. We recommend generating a single app-specific password for each separate third-party app you are using, using a meaningul description of the target app (like "Frienqa on my Fairphone 2"). You can also revoke any and all app-specific password you generated this way. This may log you out of the third-party application(s) you used the revoked app-specific password to log in with.