dallasgroot/Documentation
1
0
Fork 0
mirror of https://codeberg.org/Codeberg/Documentation.git synced 2026-06-16 05:13:54 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

personal access token for HTTP push

Browse source
This commit is contained in:
Ivan Calandra 2020-10-13 16:25:26 +02:00
parent 43603978ff
commit c2d02b6094
5 changed files with 32 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

BIN
assets/images/security/2fa/applications.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 52 KiB

BIN
assets/images/security/2fa/applications.webp Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
assets/images/security/2fa/token-created.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 67 KiB

BIN
assets/images/security/2fa/token-created.webp Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 36 KiB

47
content/security/2fa.md
View file

@ -6,22 +6,18 @@ eleventyNavigation:
---
## Why Two-factor Authentication?
While it is important to have a strong password, to gain extra security i.e. in case your password or device ever gets compromised, it is a good idea to configure
Two-factor Authentication for your account.
While it is important to have a strong password, to gain extra security, e.g. in case your password or device ever gets compromised, it is a good idea to configure Two-factor Authentication for your account.
With Two-factor Authentication, you will be asked for an authentication code generated using
your phone in addition to your password, when logging into Codeberg.
With Two-factor Authentication, you will be asked for an authentication code generated using your phone in addition to your password when logging into Codeberg.
That way, if your password gets compromised, but your phone stays safe, your account cannot be compromised
due to the loss of password alone.
That way, your account cannot be compromised even if your password does get compromised, as long as your phone stays safe.
## How to set up Two-factor Authentication
### Prerequisites
You will need an authenticator app installed on your phone.
If you don't already have an authenticator app and you're not sure which app to
use, have a look at Aegis Authenticator
If you don't already have an authenticator app and you're not sure which app to use, have a look at Aegis Authenticator
([F-Droid](https://f-droid.org/de/packages/com.beemdevelopment.aegis/) | [Google Play Store](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis&hl=en_US)) or Authenticator ([App Store](https://itunes.apple.com/app/authenticator/id766157276)).
### Step 1: Navigate to your user settings
@ -42,12 +38,10 @@ use, have a look at Aegis Authenticator
<img src="/assets/images/security/2fa/qr-scan.jpg" alt="Scanning QR Code">
</picture>
After scanning the QR code with your app, enter the six digit code displayed
in your app into the "Passcode" field of the settings form, then click "Verify".
After scanning the QR code with your app, enter the six digit code displayed in your app into the "Passcode" field of the settings form, then click "Verify".
### Step 4: Store your scratch token in a safe place
If your phone ever breaks, get lost or stolen, you can recover your account
using the scratch token.
If your phone ever breaks, get lost or stolen, you can recover your account using the scratch token.
That token is showed to you right after setting up 2FA:
@ -61,6 +55,29 @@ Please store that token in a safe place.
### Step 5: Done!
That's it - you have now configured 2FA for your account.
From now on, each time you log into Codeberg, you will be asked for an
authentication code from your app, adding a layer of security over using
only a password.
From now on, each time you log into Codeberg, you will be asked for an authentication code from your app, adding a layer of security over using only a password.
## Personal access token
If you push via HTTP, an extra step will be needed to create a personal access token. This token will replace your normal password (+ authentication code) on Codeberg.
In your profile settings on Codeberg.org, go to the `Applications` tab.
In the section `Manage Access Tokens`, add a `Token Name` and confirm by clicking on the green `Generate Token`.
<picture>
<source srcset="/assets/images/security/2fa/applications.webp" type="image/webp">
<img src="/assets/images/security/2fa/applications.png" alt="applications">
</picture>
Make sure you copy the generated token because it will not be shown again.
<picture>
<source srcset="/assets/images/security/2fa/token-created.webp" type="image/webp">
<img src="/assets/images/security/2fa/token-created.png" alt="token-created">
</picture>
When asked for your password, just supply the token.
You can either save the token in a safe place (e.g. a password manager) or use your credential manager ([Git's credential storage](https://git-scm.com/book/en/v2/Git-Tools-Credential-Storage) together with Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) or macOS [Keychain Access](https://support.apple.com/guide/mac-help/use-keychains-to-store-passwords-mchlf375f392/mac)).
You can create as many token as you like: one for each computer, one for each Git client, one for each session... you decide! You can also revoke tokens at any time by pressing the red `Delete` next to the token (see previous screenshot).
This is what makes token safer than passwords (without authentication code): you can minimize the impact of a stolen token by limiting its use to e.g. one computer, and you can revoke the tokens any time by logging into Codeberg with your password plus authentication code.