How to Manage Two-Factor Authentication on your DigitalOcean Account
An authentication factor is a piece of information used to verify that you're allowed to do something, like a keycard used to unlock a hotel door. Two-factor authentication, commonly abbreviated as 2FA, is any form of verification that requires two factors, like withdrawing money from an ATM using both a bank card and its PIN.
DigitalOcean supports 2FA for Cloud accounts in the form of a security code that you use in addition to your password when you log in. You can receive the code via SMS or an authenticator app on your smartphone.
Using 2FA adds an additional layer of security against unauthorized access to your account. Even if a bad actor gains access to your password, for example, they still can't access anything without also having your phone.
This article explains how to enable two-factor authentication for your DigitalOcean cloud account.
When Should I Use 2FA for My DigitalOcean Account?
We strongly recommend enabling 2FA on all DigitalOcean accounts.
Our default account authorization protects accounts without two-factor authentication enabled, but not as effectively as using 2FA itself.
DigitalOcean 2FA at a Glance
- Price: Free.
- Supported authentication methods: Authenticator apps, SMS, and backup codes.
- Default state: 2FA is disabled on initial account creation. See below about default authorization.
- Settings: User Profile > Settings > Security.
Default Account Authentication
When you first create your account, two-factor authorization is disabled, but DigitalOcean takes other steps to protect your account.
Each time you log in from a new location using a new device or a different web browser, we email an authorization code to the address on your account. You'll need to check your email, retrieve the code, and enter it to complete your login.
This means that even without two-factor authentication enabled, a bad actor would need both your DigitalOcean password and your email password in order to log in. This isn’t as effective as 2FA, but it increases the difficulty for would-be attackers and provides you with notification if someone is trying to access your account.
Enabling Two-Factor Authentication
To enable two-factor authentication for your DigitalOcean Account, log into the Control Panel, open the User menu, and choose Security in the left navigation. You can also click any of the Control Panel reminders to enable 2FA.
Note: If you're using a team, be sure to switch to the Security tab associated with your personal account. not the team.
When you enable 2FA, you'll then need to choose your second factor and choose a backup method.
After 2FA is enabled, you can return to the Security page to modify your choices, generate new backup codes, or disable 2FA.
Choosing the Second Factor
When you click the Enable Two-Factor Authentication button, you'll be asked to choose between using an authenticator app or SMS.
Using an App (Preferred)
Authenticator apps like Google Authenticator, Authy, or Duo are small, free mobile applications used to generate security codes. They work globally and are more secure than SMS because they don't transmit the security codes across the network.
When you choose this method, you need to scan the provided QR code using the authenticator app on your phone or tablet. This will link your device to your DigitalOcean account.
If you're unable to scan the code, click the Try this instead link directly underneath it. This will give you a code which you can enter manually by following the directions in your specific authenticator app. When you enter the code, the app will give you a PIN to enter in the space provided. Once you've enter the PIN, the app will be linked with your DigitalOcean account.
Now that the app and your account are linked together, when you log in in the future, you'll be prompted for the two-factor auth code from you app. You'll need to open the app on your smartphone to reveal the code, then enter it when prompted in the Control Panel to complete logging in.
If you select SMS, your mobile carrier must be able to deliver a text message, which means you'll need mobile signal or an Internet connection. This may be inconvenient when travelling internationally. In addition, because SMS messages can be easily intercepted by hackers, they're not as secure as an app. However, using SMS for two-factor authentication still provides much stronger security for your account than not enabling it at all.
When you select SMS, you'll be prompted for the phone number.
Note: You cannot use VoIP or Telephony telephone numbers from services like Google Voice or Ooma.
Once you enter the code, DigitalOcean will send a code via SMS. When you receive it, you'll enter the code to link your phone and your account. In the future, you'll receive a code via SMS to enter into the Control Panel to complete your login.
Choosing a Backup Method
When you're finished configuring your primary method for two-factor auth, you're prompted to add a backup method. Backup codes are the default selection and recommended method.
Backup Codes (Preferred)
Backup codes ensure that if your two-factor auth device is lost or stolen, you can still access your account. The codes act like a second password and should be stored in a secure place that you can access without your phone. They're visible on-screen and you can also download a .txt file:
Once you've used a backup code it is no longer valid, so it can be helpful to delete it or cross it out in your records. If you start to run low on backup codes, you can generate more. Note that when you do, any remaining codes from before will no longer be valid.
Disabling Two-Factor Auth
Once you've logged in, open the User profile menu and follow the link to the Security page in the left navigation. When you move your mouse cursor over the green Two-factor Authentication Enabled button, it will turn red and the text will change to Disable Two-factor Authentication.
When you select that button, a window titled Disable two-factor authentication? will open to confirm your choice. Click the red Yes, Disable 2FA button to disable two-factor authentication.
If you've lost access to your 2FA device and don't have a backup method, then you'll need to submit a ticket to the DigitalOcean support team, who can help you restore your access.
If you haven't already, we encourage you to enable two-factor auth today.
You might also be interested in learning how to use two-factor authorization for your infrastructure itself with the DigitalOcean Community tutorial How To Set Up Multi-Factor Authentication for SSH on Ubuntu 16.04.