Two-step Signin is Here

Posted on February 19, 2014 by in Blog | Hover Product Features

Hover customers looking for a little bit of extra security, now have a couple of new options: Two-step Signin and Log Signin Activity.

  • Two-step Signin means that you need something you know (your Hover username and password), plus something you have (in this case, your mobile phone) in order to access your account.
  • Log Signin Activity, when enabled, puts an entry into the Activity feed in your Hover account with the IP and timestamp every time your account is accessed.

Log Signin Activity is a simple check box to enable on the Settings page. Two-step Signin requries a few more steps, but still pretty simple.

Here’s how Two-Step Signin works:

You enable Two-step Signin from the “Settings” area of your Hover account. We’re supporting TOTP-based authenticator apps like Google Authenticator (iOS/Android/Blackberry 4-7), Duo Mobile (iOS/Android), Windows Authenticator (Windows Phone) and Authomator (BlackBerry 10) and also SMS (text message) for those without a smart phone.

Google AuthenticatorOnce enabled, you’ll sign in to your account as usual, with your username and password. After that, you’ll see an additional sign in screen that prompts you for either code displayed in your authenticator app, or the special code sent to your phone via text message.

Having it enabled means that even if someone were to get your username and password somehow, they wouldn’t be able to log in since they would also need to have access to your phone to successfully sign into your account.

Avoiding Getting Locked Out!

While Two-step Signin provides additional security, it also means that you run the risk of locking yourself out of your account if you don’t have your phone with you or if it’s lost or stolen. The Recovery Code provided when you set up Two-step Signin is important for this reason.

When you set it up on your account, please note the Recovery Code and save it somewhere safe (write it down and stick it in your wallet, or store it in a secure app like 1Password or LastPass).

In the event you lock yourself out of your account because you either lost your phone, or deleted the authenticator app, it’s going to be a real hassle to get you access again without that Recover Code. We’re not going to share what would be required, but suffice to say, it’s not something we’d do over the phone with you in a few minutes. Save us both the trouble and write down that Recovery Code please!

While testing Two-step Signin late last week on one of our staging servers, I managed to lock myself out of my account. I foolishly didn’t bother saving the recovery code and then deleted the account from my Authenticator app thinking it was for another service. The result was an email of shame to the development team to get it turned off. In real life it won’t be that easy to get back into your account.

View a Step-by-Step Guide to Enable Two-step Signin

We have a nice step-by-step guide to enabling Two-step Signin on your account, including a list of the mobile apps that are compatible with our Two-step Signin system. View it here.

p.s. write down that Recovery Code!