How to Manage Two-Factor Authentication on your DigitalOcean Account
Two-factor authentication, often abbreviated as 2FA, adds an extra layer of security to your DigitalOcean Cloud account. When you first create your account, you supply an email address, choose a password, and use these to log into the Control Panel. When you add a second factor such as a code that must be retrieved from a smartphone, it's not enough for someone to know those credentials. They must also have the smartphone. This greatly reduces the chances of someone being able to access your account.
DigitalOcean Two-Factor Auth at a Glance
Supported methods: Authenticator Apps, SMS, Backup Codes
State: Disabled by default
Enable and Disable: User Profile > Settings > Security
- Hardware keys are not yet supported
- No "Remember Computer" option. Two-factor auth is required each login.
When you first create your account, two-factor authorization is disabled. However, DigitalOcean takes steps to protect the account. Each time you log in from a new location, using a new device, or using a different web browser, an authorization code is sent to your account's email address, and you'll need to check your email, retrieve the code, and enter it to complete your login. This means a bad actor needs both your DigitalOcean password and your email password in order to access your account. This isn’t as effective as two-factor authorization, but it increases the difficulty for would-be attackers and provides you with notification if someone is trying to access your account.
Enabling Two-Factor Authentication
To enable two-factor authentication settings for your DigitalOcean Account, you can click any of the Control Panel reminders or navigate to the Security tab as described below:
- Log into the Control Panel
- Open the User menu
- Choose Security in the left navigation
Later, return to the Security page to change your choices. generate new backup codes, or disable two-factor auth.
Note: If you're using a team, be sure to switch to the Security tab associated with your personal account. not the team.
Choosing the Second Factor
When you click the Enable Two-Factor Authentication button, you'll be asked to choose between using an authenticator app or SMS.
Using an App (Preferred)
Authenticator apps like Google Authenticator, Authy, or Duo are small, free applications you install on your smartphone or tablet and use to generate an extra code. They work globally and are more secure than SMS because they don't transmit the code across the network.
When you choose this method, you'll be provided with a QR code to be scanned from within the app on your phone. This will link your device to your account.
If you're unable to scan the code from within the app, click the Try this instead link, which will give you a code. You'll use that code following the directions for the specific app you've installed on your phone. When you supply the code to the app, it will give you a PIN to enter in the space provided. Once you've enter the PIN, the app will be linked with your DigitalOcean account.
Now that the app and your account are linked together, when you log in in the future, you'll be prompted for the two-factor auth code from you app. You'll need to open the app on your smartphone to reveal the code, then enter it when prompted in the Control Panel to complete logging in.
If you select SMS, your mobile carrier must be able to deliver a text message, which means you'll need mobile signal or an Internet connection. This may be inconvenient when travelling internationally. In addition, because SMS messages can be easily intercepted by hackers, they're not as secure as an app. However, using SMS for two-factor authentication still provides much stronger security for your account than not enabling it at all.
When you select SMS, you'll be prompted for the phone number.
Note: You cannot use VoIP or Telephony telephone numbers from services like Google Voice or Ooma.
Once you enter the code, DigitalOcean will send a code via SMS. When you receive it, you'll enter the code to link your phone and your account. In the future, you'll receive a code via SMS to enter into the Control Panel to complete your login.
Choosing a Backup Method
When you're finished configuring your primary method for two-factor auth, you're prompted to add a backup method. Backup codes are the default selection and recommended method.
Backup Codes (Preferred)
Backup codes ensure that if your two-factor auth device is lost or stolen, you can still access your account. The codes act like a second password and should be stored in a secure place that you can access without your phone. They're visible on-screen and you can also download a .txt file:
Once you've used a backup code it is no longer valid, so it can be helpful to delete it or cross it out in your records. If you start to run low on backup codes, you can generate more. Note that when you do, any remaining codes from before will no longer be valid.
Disabling Two-Factor Auth
In order to disable two-factor auth or change your configuration, you can either:
One you've logged in, open the User profile menu and follow the link to the Security page in the left navigation.
If you've lost access to your two-factor auth device and don't have a backup method, then you'll need to submit a ticket to the DigitalOcean support team, who can help you restore your access.
If you haven't already, we encourage you to enable two-factor auth today.
You might also be interested in learning how to use two-factor authorization for your infrastructure itself with the DigitalOcean Community tutorial How To Set Up Multi-Factor Authentication for SSH on Ubuntu 16.04.