Skip to content
Bath CS Wiki

2FA

Two-factor authentication is key to security, however if set up incorrectly can lead to worse security or just be unusable. Furthermore, you must know and set up backups for if you lose access to your phone.

For all accounts it is highly recommended to setup 2FA when it is an option, but only in a way where it can be accessed by other people in the society easily.

This document will go over the basics for all of the above.

TOTP

TOTP or One Time Password/Passcode are the most common 2FA you will see as they can be easily setup on any device and are somewhat easy to understand.

The most common form of this are codes which change every 30 seconds.

Individuals

The issue with TOTP is that normally only 1 device has access to the codes (however you can set multiple devices to this but it is hard to keep up to date).

So for your own accounts you can mostly ignore the worry above and just download an app on your phone which handles this e.g:

Apps which can help you store all your 2FAs:

  • Authy
  • Google Authenticator
  • Microsoft Authenticator
  • Or any other that supports TOTP

Note that some companies (cough cough Google and Microsoft) like to push you to download their authenticator app when setting up TOTP, this is not actually required because its an open standard, so please for your own sanity just use one app for this.

Student-Led Initiatives

For student-led initiatves, we need to make sure that in the future we can have someone else in the initiative to access and use the code.

Therefore we recommend using our vaultwarden instance, and storing it in the same place as the username and password (there is be a field called TOTP).

More information can be found on Bitwarden Documentation.

Adding a code

Once you know where you are going to store your TOTP codes, adding one is really quite simple (though it may be hard to find).

Note these instructions are generalised so you may need to use your intuition or guesswork to translate these into practical steps.

  • Find the 2FA section on the account settings page

    • This may sometimes be under “password” or “security”

  • You should then be able to click “Add 2FA” or “Add Authenticator App” or “Add TOTP”.

  • If the website says to specifically download an app, ignore and press “continue”.

  • Once you see a QR code, you need to open the app which will store the code:

    • Most apps: click “Add” (you may need to then click “Other accounts” if they ask you to log in). This should bring up a camera where you can scan the QR code.

    • Bitwarden: you will need to open the item with the login information and click edit. Then you can click the camera icon near TOTP (on the mobile version) which will allow you to then scan the QR code.

    • Input Manually: If you can’t scan the QR code you, you can go back to the page and copy the code below the QR code (it may be hidden behind a menu which says “can’t scan?” or “input manually”). This code you can copy and paste into the TOTP section of your app.

  • Once scanned, the app will show you a code and a count down (make sure you are looking at the correct one if there are multiple listed, it should be under the website name).

  • You can then write the code in the input box of the website and hit continue (this checks you have set it up correctly).

  • Some website will then show a set of backup codes, see Backup Codes for more information, but you want to either download these and store them in a secure location or copy then into a Bitwarden note (separate from the original item).

And that’s it!

Using a code

Using a code is really simple. When you log in to the website, it will ask for a code after entering the password.

You just need to open up the app and copy and paste the code and hit enter!

Backups

Backing up 2FA codes is not particularly simple unless you copy and paste the manual code somewhere as it depends on your App.

  • Bitwarden: Your codes are not on your device so there’s no need.
  • Google Authenticator: You can choose to backup your codes to your Google Drive, or you can export up to 10 accounts as a QR code which you can print and store as a hard copy.
  • Authy + Microsoft Authenticator: I have no idea.

Backup Codes

Backup codes are normally given after setting up 2FA as a fallback if you lose your 2FA device (so these should not be stored on the same device).

Normally you should download and store in a folder on your computer (for added security encrypt the folder), or you can print them off and store them in a physical folder somewhere.

For societies it has yet to be decided on the method, but ideally you should print them off and store them in the society locker.

Passkey

Passkeys are relatively new and are basically extensions of the security keys, which allow you to sign in without using a password (and are often more secure than a password).

Bitwarden has good documentation here about using bitwarden to store passkeys, which societies should be able to use.

Personally, I would recommend people not to use these except through bitwarden unless you have a security key such as a yubikey, as if you lose or reset your phone, you cannot access your account.

But if you have a Yubikey, use it everywhere, they are the most awesome thing ever created :)

2FAs not to use

The following 2FA methods are insecure and are often worse than a weak password and so should not be used at all cost (however some websites are still stupid and believe these are okay methods):

  • SMS
  • Email