What is multi-factor authentication (MFA)?

Multi-factor authentication (MFA) is a security method that helps users add an extra layer of security to their account by requiring them to provide two or more verification factors to sign in to an account. This additional layer of security helps protect user accounts from unauthorized access, even if one factor (like a password) is compromised.

How will MFA work with Prolific?

We will be using a two-pronged approach: Time-based One-Time Password (TOTP) as our primary second factor, and recovery codes as a backup method.

How do I set up multi-factor authentication on my account?

1. Sign in to your account as normal
2. Click on your initials in the upper right-hand corner of the Prolific page
3. Go to your ‘Account’ page
4. You’ll see a ‘multi-factor authentication option, click the button to ‘turn on’

5. You’ll then see the below pop-up, with the relevant instructions:

  • Install a trusted authenticator app (such as Google Authenticator, Microsoft Authenticator, or Duo Mobile) on your smartphone or tablet.
  • Click "Enable MFA" on the Prolific page
  • Scan the QR code presented, using your chosen authenticator app
  • Enter the code generated by the authenticator app to confirm that set-up has been successfully completed

6. You’ll then be shown your account’s unique recovery code. We strongly encourage you to physically write these codes down and store them securely, as you will need them to gain access. You’ll need to confirm that you’ve safely and securely recorded the code by ticking the box, and then click ‘continue’.

7. You’ll receive the following screen, confirming that the new authentication factor has been set-up, and you can return to Prolific to continue taking studies, now with enhanced account security!

How do I log in to my account using multi-factor authentication?

This article will guide you through how to log in to your Prolific account with multi-factor authentication (MFA) turned on.

If you haven’t already enabled MFA on Prolific, please see the following: Set up MFA.

1. Log in to your account as normal, by entering your email address and password

2. You’ll then see a ‘Verify Your Identity’ screen, prompting you to check your authenticator app

3. Enter the 6-digit code from your authenticator app, into the field provided:

How do I remove multi-factor authentication from my account?

This article will guide you through removing multi-factor Authentication (MFA) from your Prolific account. This will increase the chances of someone getting unauthorized access to your Prolific account, so please consider this carefully before proceeding.

1. Log in to your Prolific account as normal

2. Click on your initials in the upper right-hand corner of the Prolific page

3. Go to your 'Account' page

4. You’ll see a ‘multi-factor authentication’ option, click the button to ‘Remove’

5. You’ll then see a ‘Remove MFA’ pop-up, and will need to re-enter your account password. Click ‘Remove MFA’

6. You’ll then see a ‘Authenticate to continue’ screen, prompting you to check your authenticator app.

7. Enter the 6-digit code from your authenticator app, into the field provided, and click ‘Continue’. If you do not have access to your authenticator app, click ‘Try another method’ and enter your unique Recovery code

8. Once you’ve successfully verified, you’ll see the following pop-up, confirming that MFA has been removed from your account.


I’ve lost access to my authenticator app, and I don’t have my recovery code

1. First, contact our support team and explain that you've lost access to both your authenticator app and recovery codes.

2. Once we receive your request, we'll activate recovery mode on your account. You'll receive an email confirmation when this is complete.

3. You can then sign in to your Prolific account without MFA while in recovery mode. Note that during this time, your account access will be limited for security purposes.

4. Upon signing in, you'll see the recovery mode screen. To regain full access to your account, click the 'Verify your ID to unlock your account' button to begin the verification process.

5. You'll be directed to verify your identity through Onfido, our secure verification process. The same process from when you onboarded with us. Once you’ve clicked ‘I consent’ you’ll be able to continue through to the verification process.

6. After successful verification, you'll see a confirmation screen indicating that your request is being processed.


FAQ’s

What is TOTP?

TOTP is a form of two-factor authentication that uses a time-based algorithm to generate a unique, temporary code. Here's how it works:

  1. You set up TOTP using an authenticator app on your phone (like Google Authenticator or Authy).
  2. The app generates a new 6-digit code every 30 seconds.
  3. When logging in, you enter this code along with your password.

What are recovery codes?

As part of the TOTP setup process, you’ll be provided with recovery codes:

  1. Recovery codes are generated when TOTP is first set up.
  2. These are a set of one-time use codes that can be used if you lose access to your TOTP device.
  3. We strongly encourage you to physically write these codes down and store them securely, separate from your TOTP device.
  4. Recovery codes serve as a contingent factor, only usable when TOTP is unavailable.

Why is this approach is better than email?

  1. Multiple true factors: TOTP represents "something you have" (your phone), while recovery codes are "something you know," both distinct from your password.
  2. Offline access: TOTP doesn't require internet access to generate codes, unlike email.
  3. Time-sensitive: TOTP codes expire quickly, reducing the window of opportunity for attackers.
  4. Not susceptible to email hacks: Even if your email is compromised, your TOTP and recovery codes remain secure.
  5. Backup option: Recovery codes provide a secure fallback if the TOTP device is lost or unavailable.