FediTips has moved!
You can keep your Mastodon account extra safe by using Two Factor Authentication (2FA).
To activate this, log in through your server's website and go to ⚙️ Preferences > Account > Two Factor Auth, then follow the instructions.
It is slightly tricky to set up, but once it's been set up it's very easy to use.
2FA means that even if someone finds out your password they cannot log in. With 2FA activated, your phone will give you a special one-time code to allow your password to work.
FediTips has moved!
p.s. There are LOTS of apps that work with 2FA on Mastodon such as Raivo, Aegis and many others. (They are technically known as "TOTP apps" or "authenticators")
Maybe people can recommend good 2FA apps in the replies?
fmmaks
@feditips FreeOTP+ is very Good and easy to use client
muznyo :archlinux:
@feditips @ente auth or @bitwarden
FediTips has moved!
When you do the 2FA setup on Mastodon (and many other sites), there's a special code you print out and keep in a safe place, which lets you access your account if you lose/break your phone.
dylan :fuck_verify:
@feditips I use Google Authenticator, but I don’t think it really matters
The Mad Codger :pdx_badge:
@dylanchapell @feditips It depends on your personal feelings towards this, but my problem with Google Authenticator is if something happens to your phone or if you forget and reformat your phone, there's no way to recover those codes. It's more secure in that it's not backed up in any cloud, but I've been dumb in the past before and now prefer Aegis.
FediTips has moved!
You don't have to use 2FA at all. This is entirely optional.
If you do use 2FA, you can use either an app or a physical security key which plugs into your laptop.
Codgertator
@feditips Can you PLEASE find an alternative means of implementing 2FA? Not all of us have cell phones or ways to get text messages. Because of this, I've been locked out of a couple of my accounts, when these big corporations just blithely assumed everyone was already married to a cell phone, and they made it part of their standard login procedure.
Sam Shores
@feditips BitWarden supports TOTP, though if you're using their cloud service it requires a paid plan, IIRC. I'm not sure where the self-hosted version lands.
FinchHaven
And apparently the only way to add 2FA to Mastodon is to use Yet Another(tm) third-party “app”
So that third party - someone unknown to me otherwise- has my phone number *and* all the 2FA transactions I conduct using that app
Why not just send an SMS/text directly to my phone, like my banks and eleventy-dozen other places do
Why drop an app in there at all?
FediTips has moved!
No, the 2FA app has no knowledge of whether you've used it or not. It just passively displays codes related to a particular timestamp and encryption key. It's essentially an elaborate clock.
If you open the 2FA app, its codes will keep changing as the clock ticks, regardless of whether you've used them.
SMS on the other hand DOES give a trail every time it is used. It is also insecure and much easier for hackers to spy on.
@fascinatorfun@mastodon.green
But don’t you have to go through that God-awful rigmarole of waiting for a request for authentication every single time you log on ?
I’d just stop tooting.
FediTips has moved!
The app doesn't need your phone number either. I use a 2FA app that collects no data at all, you just enter a code to begin with and it will then spit out the correct codes later on when it is needed.
SMS does require your phone number though, which is another potential security weakness.
Alfredo Montanez 🇺🇸🇺🇦🏳️🌈💛
@feditips I never used 2FA because I worry that it would be taken from me like Musk took it away and people couldn't log into their accounts cause of it
FediTips has moved!
When you do the setup, there's a special backup code given which you should put into a safe place (for example by printing it out and keeping it at home with your other important documents).
If you lose access to your 2FA app, you can use this backup code to gain access to your account.
Aaron C. Roberts
@feditips I have had enormous success with YubiKey. I am not affiliated in any way with them
They offer FIDO U2F compliant keys with a lot of features. My primary keys are 5C NFC and work with my Phone and Macbook. The greatness of what YubiKey created is that the key itself is where the info is stored, not the app like Google/MS. Using my pw-manager (Bitwarden) to store the QR codes allows me to recreate a key if I loose mine, or create a backup key. https://www.yubico.com/
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.