What is multi-factor authentication (MFA)?
Multi-factor authentication (MFA) is a security method that helps users add an extra layer of security to their account by requiring them to provide two or more verification factors to sign in to an account. This additional layer of security helps protect user accounts from unauthorized access, even if one factor (like a password) is compromised.
How will MFA work with Prolific?
We will be using a two-pronged approach: Time-based One-Time Password (TOTP) as our primary second factor, and recovery codes as a backup method.
FAQ’s
What is TOTP?
TOTP is a form of two-factor authentication that uses a time-based algorithm to generate a unique, temporary code. Here's how it works:
- You set up TOTP using an authenticator app on your phone (like Google Authenticator or Authy).
- The app generates a new 6-digit code every 30 seconds.
- When logging in, you enter this code along with your password.
What are recovery codes?
As part of the TOTP setup process, you’ll be provided with recovery codes:
- Recovery codes are generated when TOTP is first set up.
- These are a set of one-time use codes that can be used if you lose access to your TOTP device.
- We strongly encourage you to store these codes securely, separate from your TOTP device.
- Recovery codes serve as a contingent factor, only usable when TOTP is unavailable.
Why is this approach is better than email?
- Multiple true factors: TOTP represents "something you have" (your phone), while recovery codes are "something you know," both distinct from your password.
- Offline access: TOTP doesn't require internet access to generate codes, unlike email.
- Time-sensitive: TOTP codes expire quickly, reducing the window of opportunity for attackers.
- Not susceptible to email hacks: Even if your email is compromised, your TOTP and recovery codes remain secure.
- Backup option: Recovery codes provide a secure fallback if the TOTP device is lost or unavailable.