[ANN] Two-factor auth support for Clojars.org
43 views
Skip to first unread message
Toby Crawley
Jun 13, 2020, 9:54:08 AM6/13/20
to clo...@googlegroups.com
Hi folks!
We just released *optional* two-factor auth support for Clojars to
improve account security. The details are available at
https://github.com/clojars/clojars-web/wiki/Two-Factor-Auth, the
contents of which I have included below for convenience.
Please file an issue at https://github.com/clojars/clojars-web/issues
if you run into any problems with using it or have any suggestions to
make it better!
- The Clojars Team
---
Clojars supports requiring [two-factor
authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication)
to log in that is configured on a per-account basis.
## Enabling it
Clojars uses time-based one-time passwords (TOTP) to implement
two-factor auth. To use it, you will need a device capable of
generating TOTP codes. There are several applications for mobile
phones (search for "TOTP" or "two-factor" in your app store). Password
storage applications (such as [KeePassXC](https://keepassxc.org/) or
[1Password](https://1password.com/)) also provide TOTP generation, but
keep in mind that having a single application/device supplying your
password and TOTP code somewhat defeats the purpose of two-factor
auth.
Once you have a device that can generate TOTP codes, you will need to
enable it on Clojars and link your device to your Clojars account.
1. Visit <https://clojars.org/mfa/>
2. Enter your password
3. You will be presented with a QRCode to scan with your device. If
you are using a device where you can't scan the QRCode, you can copy
and paste the shared key instead.
4. Once you have set up your device, you will be asked to enter a code
generated by your device. This is used to verify that the setup is
correct, and **two-factor auth will not be enabled on your account
until you enter a correct code**.
5. Once you have verified your setup, two-factor auth will be enabled
for your account and you will be presented with a one-time use
recovery code. **Save this code somewhere safe.** This code can be
used in place of a TOTP code when logging in, but only once. Using
this recovery code will *disable* two-factor auth on your account,
requiring you to set it up again.
## Logging in with a two-factor/TOTP code
To log in, you will need to provide your password and a TOTP code on
the login page. Note that TOTP codes are dependent on the clock on the
device being relatively close to the clock on the server. If there is
any skew there, it's possible for the code to be rejected. If your
code is rejected, please try again with a code that has several
seconds remaining on its validity.
## Recovery
As noted above, you will receive a recovery code when you set up your
two-factor authentication. If you lose access to your two-factor
device, you can use this code to log in. Doing so will automatically
disable your two-factor auth on your account. **It is important that
you keep this code, as it may be difficult for the Clojars admins to
verify your identity to disable two-factor auth on your behalf**.
## Deploying after enabling two-factor auth
Once you enable two-factor auth, you *must* use a [deploy
token](https://github.com/clojars/clojars-web/wiki/Deploy-Tokens) to
deploy artifacts.
We just released *optional* two-factor auth support for Clojars to
improve account security. The details are available at
https://github.com/clojars/clojars-web/wiki/Two-Factor-Auth, the
contents of which I have included below for convenience.
Please file an issue at https://github.com/clojars/clojars-web/issues
if you run into any problems with using it or have any suggestions to
make it better!
- The Clojars Team
---
Clojars supports requiring [two-factor
authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication)
to log in that is configured on a per-account basis.
## Enabling it
Clojars uses time-based one-time passwords (TOTP) to implement
two-factor auth. To use it, you will need a device capable of
generating TOTP codes. There are several applications for mobile
phones (search for "TOTP" or "two-factor" in your app store). Password
storage applications (such as [KeePassXC](https://keepassxc.org/) or
[1Password](https://1password.com/)) also provide TOTP generation, but
keep in mind that having a single application/device supplying your
password and TOTP code somewhat defeats the purpose of two-factor
auth.
Once you have a device that can generate TOTP codes, you will need to
enable it on Clojars and link your device to your Clojars account.
1. Visit <https://clojars.org/mfa/>
2. Enter your password
3. You will be presented with a QRCode to scan with your device. If
you are using a device where you can't scan the QRCode, you can copy
and paste the shared key instead.
4. Once you have set up your device, you will be asked to enter a code
generated by your device. This is used to verify that the setup is
correct, and **two-factor auth will not be enabled on your account
until you enter a correct code**.
5. Once you have verified your setup, two-factor auth will be enabled
for your account and you will be presented with a one-time use
recovery code. **Save this code somewhere safe.** This code can be
used in place of a TOTP code when logging in, but only once. Using
this recovery code will *disable* two-factor auth on your account,
requiring you to set it up again.
## Logging in with a two-factor/TOTP code
To log in, you will need to provide your password and a TOTP code on
the login page. Note that TOTP codes are dependent on the clock on the
device being relatively close to the clock on the server. If there is
any skew there, it's possible for the code to be rejected. If your
code is rejected, please try again with a code that has several
seconds remaining on its validity.
## Recovery
As noted above, you will receive a recovery code when you set up your
two-factor authentication. If you lose access to your two-factor
device, you can use this code to log in. Doing so will automatically
disable your two-factor auth on your account. **It is important that
you keep this code, as it may be difficult for the Clojars admins to
verify your identity to disable two-factor auth on your behalf**.
## Deploying after enabling two-factor auth
Once you enable two-factor auth, you *must* use a [deploy
token](https://github.com/clojars/clojars-web/wiki/Deploy-Tokens) to
deploy artifacts.
Reply all
Reply to author
Forward
0 new messages