Each user can now add two-factor authentication to their account by click on “Setup” in the UI and then selecting “Enable” under 2FA on the “My Security” page.
Two-factor authentication is done through a RFC 6238 compatible TOTP application, a list of which are supplied on the enabling webpage. Not all applications have been tested but because this is a well defined standard we expect all to work correctly.
Once enabled, two factor authentication is required for the following activities – there is no automatic reset of existing sessions or tokens:
- Login to the UI
- Retrieving a permanent private access token
- Changing two-factor authentication settings
Passwords and two-factor authentication are considered separate and as such, we have not changed the password reset flow or password change flow.
In the initial release, changing or disabling two-factor authentication requires the existing code and there is no way to change that. A future release is expected to allow a different user who has admin permissions and who has two-factor authentication enabled to reset the setting but at present resetting 2FA requires manual action from Billforward. As such, you may provide us with a list of users and/or communication methods who have permission to request a 2FA reset and we will not accept a request from anyone else to mitigate against social engineering attacks.