How do I setup Two-Factor Authentication (2FA) in Krystal Identity?

What is Two-Factor Authentication (2FA)?

Two-factor authentication adds an additional layer of security to your Krystal client area by adding a second step to your login. In addition to something you know (i.e. your existing password) it adds what is known as a possession, or second factor, based on something you possess - which in this case will be an App on your mobile phone or desktop.

Since both are required to log in, even if an attacker has your password they can't access your account unless they also possess your phone.

Why is Two-Factor Authentication necessary?

Passwords are often compromised when mobile devices or computers are stolen or infected with malware - or when insecure networks are used to retrieve passwords by email. They can often be guessed, they usually don't change very often, and despite advice otherwise, many of us have favourite passwords that we use for more than one thing. So two-factor authentication gives you additional security because your password alone no longer allows access to your account

What Type of 2FA does Krystal support?

We support physical security keys and the open-source OAuth service (external link opens in a new window), simply because it is free to implement for our customers and is in widespread use. All that is required is an App that supports the creation of OTP (One Time Password) tokens. This basically means that the App produces a 6 digit number that changes every 30 seconds. This number is entered along with your usual client area login password.

While there are a lot of apps that do this, we tested and like Google Authenticator - which has versions for iPhone & Android devices as well as a Chrome browser extension.

Tip: You'll need to have a 2FA app like Google Authenticator or Microsoft Authenticator installed before you'll be able to complete this process.

What is Krystal identity?

Krystal Identity is our brand-new secure platform designed to centralise your access to our services. Designed and built entirely in-house, Krystal Identity also provides a new level of security for your account, including:

  • More options for two factor authentication - authenticator apps or security devices like Yubikeys.
  • More automated monitoring of account activity to attempt to detect malicious behaviour.

Access Security settings via your Krystal Client area

  1. Login to your Krystal Client Area and then click on your name in the top right corner.

  1. Click Security Settings

  1. Click "Manage Two Factor Authentication in Krystal Identity".

Access Security settings via Krystal Identity

  1. Please login to Krystal Identity (Internal Link opens in a new tab)
  2. Once logged in, click the "Security settings" option.

Adding an Authenticator app

  1. Click the "Set up an authenticator app" button

You'll now see the 2FA setup screen.

  1. Scan this code with your Two-Factor Authentication (2FA) App

Open your 2FA app and follow the app's instructions to add a new account. Instructions for Google Authenticator can be found here, for both iOS and Android

Once you've scanned the barcode or entered the displayed text code, the new account should be added in your app and generating One-Time Password (OTP) codes.

  1. Enter the code displayed in the app

Enter a valid code or scan the QR code from your app and click the "Link authenticator app" button.

  1. Done! Any future login attempts will now ask you to confirm the code from your Authentication app.

Adding a security key

  1. Click the "Register your first security device" button.

  1. Select a name for your security key.

  1. Select "Use another device"

  1. Select "Security Key"

  1. Touch your security key to authenticate the request

  1. Your key has now been added!

  1. You can now see and manage your security key.

  1. Done! You can now use your security key to access your Krystal-powered services!

Generating a new recovery code

  1. To generate a recovery code, click the "Generate your recovery codes" option:
  1. Click "Generate recovery codes"

  1. You will now see your recovery codes, please ensure you note these down straight away as they will only be shown for 1 minute.

Disabling 2FA

To disable two factor authentication, you will need to remove the enabled authentication methods.

Authenticator app:

  1. Please login to Krystal Identity (Internal Link opens in a new tab)
  2. Once logged in, click the "Security settings" option.
  1. Navigate to the "Authenticator App" header and click the "Remove app" button.

  1. You will no longer be asked for this form of authentication when you login, however, we strongly suggest setting up two factor again as soon as possible.

Security Key:

  1. Please login to Krystal Identity (Internal Link opens in a new tab)
  2. Once logged in, click the "Security settings" option.

  1. Navigate to the "Security Keys" header and click the "Remove" button beside the key you would like to remove.

  1. You will no longer be asked for this form of authentication when you login, however, we strongly suggest setting up two factor again as soon as possible.

Unable to create a 2FA code or use a backup code

If you're unable to generate a 2FA code (maybe you've changed phones or no longer have access to the 2FA app) - and you don't have access to your backup code you'll need to contact support.

We will then begin the enhanced security procedure to help you gain access to the account.

Please note you will need to supply the required ID.


How did we do?


Powered by HelpDocs (opens in a new tab)
© Krystal Hosting Ltd 2002–