diff --git a/assets/images/security/2fa/applications.png b/assets/images/security/2fa/applications.png new file mode 100644 index 0000000..2da6b9a Binary files /dev/null and b/assets/images/security/2fa/applications.png differ diff --git a/assets/images/security/2fa/applications.webp b/assets/images/security/2fa/applications.webp new file mode 100644 index 0000000..88fc073 Binary files /dev/null and b/assets/images/security/2fa/applications.webp differ diff --git a/assets/images/security/2fa/token-created.png b/assets/images/security/2fa/token-created.png new file mode 100644 index 0000000..2c8ff18 Binary files /dev/null and b/assets/images/security/2fa/token-created.png differ diff --git a/assets/images/security/2fa/token-created.webp b/assets/images/security/2fa/token-created.webp new file mode 100644 index 0000000..126711b Binary files /dev/null and b/assets/images/security/2fa/token-created.webp differ diff --git a/content/security/2fa.md b/content/security/2fa.md index 3e38051..526dafa 100644 --- a/content/security/2fa.md +++ b/content/security/2fa.md @@ -6,22 +6,18 @@ eleventyNavigation: --- ## Why Two-factor Authentication? -While it is important to have a strong password, to gain extra security i.e. in case your password or device ever gets compromised, it is a good idea to configure -Two-factor Authentication for your account. +While it is important to have a strong password, to gain extra security, e.g. in case your password or device ever gets compromised, it is a good idea to configure Two-factor Authentication for your account. -With Two-factor Authentication, you will be asked for an authentication code generated using -your phone in addition to your password, when logging into Codeberg. +With Two-factor Authentication, you will be asked for an authentication code generated using your phone in addition to your password when logging into Codeberg. -That way, if your password gets compromised, but your phone stays safe, your account cannot be compromised -due to the loss of password alone. +That way, your account cannot be compromised even if your password does get compromised, as long as your phone stays safe. ## How to set up Two-factor Authentication ### Prerequisites You will need an authenticator app installed on your phone. -If you don't already have an authenticator app and you're not sure which app to -use, have a look at Aegis Authenticator +If you don't already have an authenticator app and you're not sure which app to use, have a look at Aegis Authenticator ([F-Droid](https://f-droid.org/de/packages/com.beemdevelopment.aegis/) | [Google Play Store](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis&hl=en_US)) or Authenticator ([App Store](https://itunes.apple.com/app/authenticator/id766157276)). ### Step 1: Navigate to your user settings @@ -42,12 +38,10 @@ use, have a look at Aegis Authenticator Scanning QR Code -After scanning the QR code with your app, enter the six digit code displayed -in your app into the "Passcode" field of the settings form, then click "Verify". +After scanning the QR code with your app, enter the six digit code displayed in your app into the "Passcode" field of the settings form, then click "Verify". ### Step 4: Store your scratch token in a safe place -If your phone ever breaks, get lost or stolen, you can recover your account -using the scratch token. +If your phone ever breaks, get lost or stolen, you can recover your account using the scratch token. That token is showed to you right after setting up 2FA: @@ -61,6 +55,29 @@ Please store that token in a safe place. ### Step 5: Done! That's it - you have now configured 2FA for your account. -From now on, each time you log into Codeberg, you will be asked for an -authentication code from your app, adding a layer of security over using -only a password. \ No newline at end of file +From now on, each time you log into Codeberg, you will be asked for an authentication code from your app, adding a layer of security over using only a password. + +## Personal access token +If you push via HTTP, an extra step will be needed to create a personal access token. This token will replace your normal password (+ authentication code) on Codeberg. + +In your profile settings on Codeberg.org, go to the `Applications` tab. +In the section `Manage Access Tokens`, add a `Token Name` and confirm by clicking on the green `Generate Token`. + + + + applications + + +Make sure you copy the generated token because it will not be shown again. + + + + token-created + + +When asked for your password, just supply the token. + +You can either save the token in a safe place (e.g. a password manager) or use your credential manager ([Git's credential storage](https://git-scm.com/book/en/v2/Git-Tools-Credential-Storage) together with Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) or macOS [Keychain Access](https://support.apple.com/guide/mac-help/use-keychains-to-store-passwords-mchlf375f392/mac)). + +You can create as many token as you like: one for each computer, one for each Git client, one for each session... you decide! You can also revoke tokens at any time by pressing the red `Delete` next to the token (see previous screenshot). +This is what makes token safer than passwords (without authentication code): you can minimize the impact of a stolen token by limiting its use to e.g. one computer, and you can revoke the tokens any time by logging into Codeberg with your password plus authentication code.