2FA Information

Two Factor Authentication (2FA), sometimes referred to as Multi Factor Authentication (MFA) is a method of making an online app more secure. In addition to asking you to authenticate yourself by entering a username and password, it also asks you to provide an additional piece of information, usually a 6 digit code that is obtained via an OOB (Out Of Band) process. This may be from an app on your smart device (e.g. phone or tablet), or it may be by sending you an SMS / text message to your cellphone.

This app offers several 2FA options to choose from:

  • TOTP - Time-based One Time Password.
  • HOTP - HMAC-based One Time Password.
  • SMS - SMS or Text message to your cellphone.

TOTP

TOTP is the most popular, it works by generating a random secret code that is then entered into an app on your smart device. The app then generates a One Time Password (e.g. a 6 digit code) by combining the secret code you gave it with the current date and time. You have to enter this code during the login process. This app also generates the code based on the same secret code (that is stored in an encrypted form) and the current date and time. If the code you enter is the same as the code this app generated you get to login, if they don't match you are not allowed in.

TOTP relies on the clock on your smart device and the clock on the server this app is running on being exactly in sync. With today's smart devices that is usually not a problem. The server this app runs on is synchronised to several atomic clocks from around the world, so it's clock is pretty accurate.

When you choose TOTP or HOTP you are shown a QR code that contains all the information your authenticator app will need to set itself up. The URI format we use is compatible with the Google Authenticator as well as the freeOTP and the openOTP authenticator apps. You are also shown the Base32 encoded secret in text format in case your chosen app does not support QR codes, along with all the other information you need to setup the app to work here.

HOTP

HOTP is very similar to TOTP, except that it does not use the date or time. The app on your smart device generates a new code each time you ask it to (usually by clicking on a button). The code is generated using HMAC (Hash-based Message Authentication Code), this is a mathematical algorithm that generates a pseudo random code each time it is run. It is "pseudo" random because the next code can be easily calculated if you know the initial secret and which number in the sequence you require. Each time the app on your smart device displays the current code to you, it increments a counter so the next time you ask it for a code it will display the next one in the pseudo random sequence. This app also increments a counter each time you successfully login. So long as the two counters stay in sync this works fine. The problem is that the app on your smart device can get out of sync, for example if you tap the "generate new code" button a few times without logging into this app, or you mis-enter the code a couple of times (and therefore this app does not increment its counter but your app on your smart device does) they can get out of sync.

For this reason HOTP is not as popular as TOTP. It is quite easy to re-sync your app, but if you cannot login because you got out of sync, you will have to contact us to ask that your 2FA is disabled so you can login and then set it up again.

SMS

This works by sending you the additional code you need to login via SMS / text message to your cellphone. You will need to enter your cell number in your profile to enable this type of 2FA. The advantage of SMS is that you don't need a smart device to make it work, as long as your cellphone is able to receive SMS messages you're good. It does not suffer from de-syncing like HOTP as a new, random code is sent to you each time you login. Occasionally there may be delays or problems sending the SMS across different countries and, of course, if you lose your phone that might be a problem!

Because ARDC is an international organisation, when you enter your cellphone number into your profile, you must enter your country code as well as your cellphone number. The SMS messages are currently sent out from the UK and international SMS delivery is getting harder to do reliably as countries introduce ever more stringent anti spam measures.

We highly recommend that you enable 2FA on your account, this helps to maintain good security, not only for your own data, but this entire app. We recommend TOTP unless you have a good reason to use one of the other options.