What is two-factor authentication?
Turning on Two-Factor Authentication (2FA) for a service changes the security requirements, forcing you to provide at least two proofs of identity when accessing a secure service for the first time on an unknown device. Those two forms of authentication can come from any combination of at least two of the following elements:
- "Something you know," such as a password or PIN
- "Something you are," such as a fingerprint or other biometric ID
- "Something you have," such as a trusted smartphone or physical security key that can generate or receive confirmation codes
Why use two-factor authentication?
Two-Factor Authentication (2FA) is sometimes called multiple-factor authentication. In simple terms, it adds an extra layer of security to every online platform you access. The first layer is generally a combination of an e-mail (or username) and password. Adding one more step of authenticating your identity makes it considerably harder for an attacker to access your data. If your password is compromised, the attacker still cannot obtain access to your account.
This drastically reduces the chances of fraud, data loss, or identity theft.
How to use two-factor authentication in Re-Leased
Re-Leased supports both smartphone-based (TOTP) authenticators as well as industry best practice hardware/biometric-based physical authenticators.
Enabling 2FA for your account
Setting up 2FA is a simple and fast process. You can begin by accessing your Re-Leased account settings and following the instructions to configure your second form of authentication.
To assist you in this process, we've provided helpful instructional videos that guide you through each available step method. To get started, simply click on one of the available setup options below.
- How to set up two-factor authentication using an authenticator app
- How to set up two-factor authentication using a physical authenticators/key
Hint: You may have multiple 2FA methods enabled, and choose between them during sign-in if you wish. This can be handy for example to use something like a physical key when you are on your laptop, but an authenticator app instead when on a mobile device.
Generating Recovery Codes
Remember to generate your recovery codes after enabling 2FA on your account. It is important to create and securely store these codes, as they serve as a backup to log in to your account in the event that you lose access to your primary authentication device, such as your phone.
Please download, print or copy your new recovery codes and save them somewhere safe before continuing.
Recommended Best Practises
- Administrators should enable required 2FA for all users
You can enforce that all your users of Re-Leased must enable a 2FA method in order to use the application. This option can be found in the Security section of your company settings page under ‘Settings -> Manage Companies. Toggle this setting on to force all users to set up 2FA the next time they sign-in. They will not be about to proceed without enabling at least one method.
- Assist other users with onboarding to 2FA apps or supply hardware devices such as Yubikeys.
Some people can find the concepts behind 2FA a little confusing. The best way to help your users to be security conscious is to empower them! Help your team members to understand the process and the reason why 2FA is such important. Pointing them at this document is a great starting point.
In some cases, consider if using a physical security key can be a simpler concept for people to get them using 2FA.
Other Security Suggestions
- Enable single session mode
Single session mode is a user setting - this will prevent users from having multiple active sessions (e.g. accessing the application from more than one place).
- Use a password manager
This is not specific to Re-Leased but is a very good general security practice to ensure your password is hard to brute force crack/guess. We highly recommend the use of password managers such as 1Password or LastPass.
- Regenerating recovery codes
Keep your recovery codes private and do not share them with others as they can be used to access your account without 2FA. If you use a recovery code to log in, be sure to generate a new set afterwards by navigating to Your Account> Security -> Manage Two-Factor Authentication Methods page and clicking Regenerate Recovery Codes tile.
Please download, print or copy your new recovery codes and keep them somewhere safe before continuing.