Two-factor authentication (also known as 2FA or 2-Step Verification) is a technology that provides identification of users through the combination of two different components. In this case, you'll protect your account with something you know (your password) and something you have (your phone). With Two-Factor Authentication enabled on your Colodax account, you will have to provide your password (first "factor") and your 2FA code (second "factor") when signing in to your account. For account security, we recommend turning on "2FA while signing in" after binding Mobile or TOTP to your account.


What's the difference between "Typical passwords" and "2FA"?

A typical password usually includes a string of static information such as characters, images, gestures etc, easily cracked and insecure, while 2FA is more complicated and of higher security level.

In Colodax, we support 2FA via Email verify and TOTP verify:

1. Email verify: Your account will be verified via a string of randomly generated Email verification code. Instantly sent while valid in a short period time, Email codes can only be used once before expiration. 

2. TOTP verify: The Time-based One-Time Password algorithm (TOTP) is an algorithm that computes a one-time password from a shared secret key and the current time. It combines a secret key with the current timestamp using a cryptographic hash function to generate a one-time password, changing in every 60 seconds.


What is TOTP and why do I need it?

TOTP is an algorithm that computes a one-time password from a shared secret key and the current time, an example of a hash-based message authentication code (HMAC). Most of 2FA adapts TOTP and updates in 30-60 seconds, difficult to crack and relatively more secured.


Recommended TOTP

Colodax recommends using Google Authenticator or another offline authenticator app such as Authenticator.

Google Authenticator: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2

(We strongly recommend this TOTP if you are using LassPass to manage your passwords)


What is Secret Key in TOTP?

A secret key is a piece of information or parameter, usually a string of 16-digit combination of letters and numbers, that is used to encrypt and decrypt messages in a symmetric, or secret-key, encryption.

Take Google Authenticator for instance: Colodax will provide you with a string of 16-digit Secret Key while binding Google Authenticator. If you've lost the device with your Google Authenticator, you can download the same app in a new phone and retain 2FA by reentering Secret Key in app. Please understand that Colodax will NOT save or back up your Secret Key and your Google Authenticator will be LOST and unable for retrieved if you forgot or lost Secret Key. For your account security, please preserve your Secret Key via the following recommended ways.


How to keep Secret Key?

1. Write them down on a piece of paper;
2. Take a screenshot and back up in your Cloud storage;
3. Record in your TOTP apps.


How to Bind Google Authenticator?


Website
1. After signing in, please go to [Account] - [Security];
2. Find [Enable Google Authenticator];
3. Keep your 16-digit Secret Key safe according to instruction;
4. Download and open Google Authenticator in your phone, and click "+" in app to scan QR code on website or enter Secret Key manually;
5. Enter Google Authentication code and finish binding.


Why is my correct 2FA code "Incorrect"?

The most common cause for "Incorrect Code" errors is that the time on your Google Authenticator app is not synchronized with your time of local server. In this case, please make sure that you have the same time in your Google Authenticator app as your local time.


Why can't I receive code when using Email verify as 2FA?

Due to Email delay or service incompatibility with email servers, you might not be able to acquire sign-in verification code promptly. In order to sign in in time and avoid unnecessary problems, we strongly suggest you sign in via Password + Google Authenticator. If you haven’t yet binded Google Authenticator, please contact us at support@colodax.com for help and we will assist you bind Google Authenticator.