Setting up TOTP

All you need to know is here

If the 2FA and TOTP acronyms sound mysterious and intimidating on first approach 😧, do not worry, you will know everything you need to know in under four minutes 🥳.

What are 2FA and MFA?

2FA stands for Two-Factor Authentication. You may sometimes hear about MFA (Multi Factor Authentication). This is all a bit the same, basically adding a layer of protection on what the industry accepts as the most unsecure way of authenticating: using passwords 😱!

There are several 2FA/MFA solutions, but most are either also very unsecure 🤦 (although vendors will not admit it 🤥), or come with deep data privacy concerns (the use of social logins 🤭). This is why the current best 2FA approach is the use of TOTP, even if it is slightly inconvenient...

What is TOTP?

TOTP stands for Time-based One-time Passwords. It is a common form of Two-Factor Authentication.

TOTP works like this: a unique numeric password is generated with an algorithm that uses the current time as an input and a crypto certificate only valid between your device and the application requesting the TOTP. As time-based passwords expire, they offer increased security for 2FA.

How can I set it up?

If your online service provider supports 2FA/MFA, there is a very good chance that it supports TOTP.

You will need to find the Account Security page of your online provider. It is likely to be under a menu Account, Profile, or Security.

As an example, we will explain how to setup the 2FA with Google Gmail. First, after having logged into your Gmail account, go to "Manage your Google Account" (option below your profile icon, on the top right corner).

When you have found it, tap or click on Get Started to open the Security page.

Open the 2-Step Verification dropdown to have access to further configuration.

If you have already installed a Two Factor Authentication (such as your mobile phone number), you will see it here. Go to the "2-Step Verification settings" link.

Good Lord, all those 2FAs 😮!

You will be presented with a list of options for setting up a 2FA. Scroll down until you find the section called "Authenticator App", and tap or click Set Up.

Some irrelevant questions...

It may be that during this process, your online provider takes the opportunity to ask a few irrelevant questions to capture a bit more data about you 😮... Well, you have to tell them what you have to tell them...

Another QR Code?

When the time comes 😅, you will be presented with a QR Code to scan with your mobile device. This is a 2FA QR code issued by your online provider, for establishing the 2FA connection. It will be used only once.

Note: this is not an Authenly QR Code, so this is not a way to authenticate directly into an online service via the Authenly magic passwordless and contactless experience.

What shall I do now?

Scan this QR Code with the 2FA scan in the Authenly app.

Not sure how 🤔? just tap here

As soon as you scan it with Authenly, it will install a secure 2FA on your mobile device, and Authenly will be able to generate TOTP codes on demand.

Confirming the code

Your online provider will check that the secure activation worked well, and will ask you to provide a code.

Tap on the newly created 2FA entry in Authenly to access the code for this online provider, and enter the code.

You are setup

After having scanned the QR Code and entered the TOTP code when asked, you should get a confirmation from the provider, either visually or by email, that the 2FA is now activated.

Backup codes

There is generally an option to retrieve backup codes. You should do this and place them in a secure location (avoid loading your codes onto a server).

The image below shows what your backup codes may look like. Note that Authenly does not know about these codes.

Good to go 😎!

You are now good to go, and your online account is secured via a 2FA - TOTP.

Note that Authenly does not store your 2FA keys on any server. These 2FA keys only stay on your device for maximum security. That's a big plus, because you may find that some 2FA solutions store your keys on their server, which means that if/when they get hacked, your 2FA goes away with the hack 🙄!

In addition, because we do not store the 2FA keys on our server, it also means that you can get your code even when your phone is off the internet. Your secure access to your online services is always available and does not even depend on Authenly's services availability!

A final word: these TOTP are the most secure 2FA to protect your account, so make use of them. However, they only act as a secure patch on top of an otherwise unsecure authentication method (ID + password). They do not really come close to a full passwordless and contactless experience, as provided by Authenly in the form of fully getting rid of passwords 🤗.


Frequently Asked Questions

Have questions? We’ve got answers. If you can’t find what we are looking for, feel free to get in touch.