What is two-factor authentication

Two-factor authentication (2FA) is an extra layer of security used to make sure that people trying to gain access to an account are who they say they are. First, a user will enter their username and a password. Then, instead of immediately gaining access, they will be required to provide another piece of information. This second factor could come from one of the following categories:

Something you know: A PIN number or a password eg. your GhostVolt logon username and password.
Something you have: A mobile phone, Credit card, smart device.
Something you are: Your fingerprint, an iris scan, or a voice print, etc.

With 2FA, a potential compromise of just one of these factors will not unlock the account. So, even if your password is stolen or your phone is lost, the chances of a someone else having your second-factor information is highly unlikely. Looking at it from another angle, if a consumer uses 2FA correctly, websites and apps can be more confident of the user’s identity and unlock the account.

GhostVolt and 2FA

The second factor used with GhostVolt is something you have, your smartphone.

You'll also need an app for your smartphone which generates the second factor code for you, an authenticator app. Authenticator apps generate a Timed One Time Passcode (TOTP) which is then used when you log into GhostVolt. Note, Authenticator apps are generally free, we use Microsoft Authenticator in the following tutorials.

One-time passcodes?

TOTP stands for Time-based One-Time Passwords and is a common form of two factor authentication. Unique numeric passwords are generated with a standardized algorithm that uses a unique secret key and the current time as an input. The time-based passwords are available offline and provide user friendly, increased account security when used as a second factor.

How to create a Timed One Time Passcode

Turning on two-factor authentication for a repository

Managers of a GhostVolt repository can turn on two-factor authentication for all users by heading over to the Admin tab, then choosing to turn on two-factor authentication.

Turn on two factor auth

  1. Download and install Microsoft Authenticator to your mobile device.
  2. Open Authenticator then choose Add account.
  3. Scan the QR code shown.
  4. Enter the one-time password code into GhostVolt
  5. Press Verify

Now that you've turned on two-factor authentication, its time to backup your 2FA Recovery key for emergencies. When prompted to do so, save your Emergency login kit.

If you lose access to your mobile device and do not have access to a recovery key, you will not be able to log into GhostVolt.

Turn on two factor auth

User two-factor setup

Business Feature Only

When two-factor authentication is enabled across a repository, all users, upon their next logon, will be required to setup two-factor authentication on their device.

User two-factor auth

  1. Log into GhostVolt as normal.
  2. Download and install Microsoft Authenticator to your mobile device.
  3. Open Authenticator then choose Add account.
  4. Scan the QR code shown.
  5. Enter the one-time password code into GhostVolt
  6. Press Verify
two-factor setup

Standard users can not view or save 2FA recovery keys.
Should a user lose access to their 2FA device, they should contact their GhostVolt manager.

Two-factor logon

When 2FA is turned on, and upon successfully entering the correct username and password, you’ll be asked to provide the code shown on your authenticator app.

  1. Open Microsoft Authenticator.
  2. Click GhostVolt
  3. Enter the one-time password code into GhostVolt
  4. Press Verify

If your one-time passcode is valid, GhostVault will open.

two-factor logon

Reseting your account two-factor key

If your two-factor authentication key has been compromised, you can generate a new secret key and stop the compromised key from working.

  1. Open your GhostVolt Admin tab
  2. Click Edit or View account
  3. Click the two-factor authentication Reset button
  4. Follow the steps shown to reset your two-factor authentication key

Your old two-factor authentication key will no longer work after resetting.

reset two-factor authentication key

Turning off 2FA

Restricted to GhostVolt managers

You can turn 2FA authentication off at any time.

  1. Open your GhostVolt Admin tab
  2. Click Turn off two factor authentication
  3. Click Yes to confirm

2FA will be turned off for you and all your repository users.

Note: If you re-enable 2FA, you and your users must setup your authenticator App again as your repository secret key will have been changed.

turn off two-factor auth

turn off two-factor auth

2FA recovery key

Restricted to GhostVolt managers

If you do not have access to your mobile device, you can bypass the 2FA check by using the recovery key saved to your emergency login kit. Note, this option is only available for managers of GhostVolt.

  1. On the GhostVolt 2FA window, click Use recovery key
  2. Open your emergency logon kit and copy Two-factor recovery key
  3. Paste the recovery key into GhostVolt and click Verify

If your recovery key is valid, GhostVolt will logon.

bypass two-factor logon

How does GhostVolt generate and store secret keys?

GhostVolt generates a random secret key for each user of your repository, this secret key is then encrypted with the user’s public key, which is turn, is stored in repository database. When access to the secret key is required, the user must first log into GhostVolt which grants access to the user’s private key. The private key is then used to unlock the two-factor secret key. Again, no secrets are stored to disk.

Private keys are encrypted with a user logon password
Secrets are stored in memory using Window DPAPI