# Introduction

2-step verification is a simple and more secure way to protect your accounts. It combines a password (something that you know) with a second factor (something that you own), so it is less vulnerable to attacks.

The most common verification techniques are:

  • Text messages with PIN code on your mobile phone

  • The Authenticator app generates an authentication code

  • Yubikey (a hardware device similar to USB)

Bloomreach Engagement currently offers 2-step verification with the **Authenticator app** and **Text message**. We plan to support Yubikey soon.

# Configuration

To enable 2-step verification for your Bloomreach Engagement accounts, go to `Settings` > `User Settings` > `Security`.


Configuration window

Once the 2-step verification is enabled, you will be asked to verify yourself with the chosen method every time you log in. Also, you will be asked to provide a new token/code from the authenticator app after 30 days or every time your IP is changed.


Login page - 2-step verification

## Authenticator app

Install an authenticator app on your mobile device. You can use any authenticator mobile app, but we recommend installing Google authenticator:

  • iOS: <https://itunes.apple.com/us/app/google-authenticator/id388497605>

  • Android: <https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2>

Open the authenticator and scan the QR code to obtain a 6-digit code which you need to input in Bloomreach Engagement. Click "confirm".


Configuration of Authenticator APP

## Backup codes

Backup codes are useful if you don't have access to your mobile or Yubikey. When you enable this option, you will obtain 10 codes that you can use to log in. You can use every code only once.

Note that backup codes are not part of 2-step verification. Use backup codes only as a recovery option if you lose access to your devices.

## Text message

In `User settings` -> `Security` enable the "Text message" option. When you enable this option you need to enter your phone number and click `Get code`. Once you receive the code type it into the text area below. Click confirm.

You can add more phone numbers for this verification method. Just click `show` when text message verification is enabled.

# Troubleshooting and recommendations

Occasionally, you might encounter problems with your Google Authenticator app. We have put together a few solutions that solve the most common problems.

### Sync your Google Authenticator time

Time syncing incorrectly is one of the reasons why your Google Authenticator codes might have stopped working and/or are displaying an error. To resolve this issue follow these steps:

  1. Open the Google Authenticator app

  2. Navigate to the Menu

  3. Select Settings

  4. Click on _Time Correction for Codes_

  5. Click _Sync Now_ This will automatically correct the time.

### Sync your phone's time

Whether you are using Android or iOS, you will need to navigate into the settings, look for Date & Time, and toggle both automatic time and timezone on.

### Use backup codes

As described above, it is always good to generate and store securely your backup codes. This is useful not only for the times when your app might not be working properly but also for rare cases when you might lose or damage your device.

# Two-step verification Enforcement

In `Project or Account settings` -> `Security` -> `Two-step verification`, you can now enforce the usage of two-step verification. In the new settings section, you can decide who needs to use it and would be required to log in again as verification. It can be applied per account, project, or a specific role. Additionally, you can create a new custom role that inherits other predefined roles but has a requirement to use two-step verification. We try to provide the most flexible options for various requirements and situations.

You can apply the enforcement on both the project and account levels. The settings allow you to choose one out of 3 options available:

  • **Optional**: this is the same as was before. It is up to you if you want to use two-step verification.

  • **Mandatory for selected roles**: this option allows the client to select a set of roles that require the use of two-step verification. Every user that has one of the selected roles, has to use a second factor for login.

  • **Mandatory for all users**: If this option is selected, every user with access to the account/project will be required to use two-step verification.

If specific roles on the account level require the use of two-step verification, this is inherited also on a project level for all projects within the account. It is strongly recommended that users also download backup codes when he is setting up two-step verification. This option is available on the same settings page. Settings can be changed only by the project admin.