Passwords and 2 Factor Authentication (2FA) / Guides

Passwords 🔑

Changing Passwords, Members

Changing passwords is done at auth.redfightback.org.

You'll need to sign-in again before you can access it.

Hit "Update" and you'll be prompted to put in your new password.

Changing Passwords, Applicants

Applicants have individual accounts for each party service (ie, Comms, Jitsi, Wiki) and so to reset their passwords they follow the password reset instructions for each service.

• Applicants Comms passwords are reset here.

Forgotten Password

If you've forgotten your password, hitting "Forgot Password?" at the sign-in screen will send a password reset email to the email you provided when you signed up.

If you've lost access to the email you used when you signed up, we don't have access to the email address you signed up with. You must make a new email, and then contact a Server Admin (@AY) so your account can have the new email added.

2 Factor Authentication 🔒

2FA Rundown

2 Factor Authentication means that after you put in your username and password during sign-in, you'll be asked to provide a code from an OTP Authenticator app, or plug in and press the button on a hardware security key, like a Yubikey.

2FA adds an extremely secure layer to logging in and everybody is encouraged to use it. *Note that currently only members can use 2FA.

OTP Authenticator app

OTP stands for One Time Password. They expire after one use and so every time you use it, you have to get a new one from the app.

There are lots of apps that can generate OTPs for you, like Google Authenticator and andOTP. You're free to use whatever.

Set up an authenticator app at auth.redfightback.org.

1. Go to Signing In;
2. Go to Authenticator Application;
3. Click the Context Menu (the three dots ... on the right hand side) and select "Set Up Authenticator Application".
4. Now open the authenticator app you've set up on your phone and find the part to Scan QR Code.
5. Note, if the app asks if you want an OTP or a TOTP (Timed OTP) it doesn't matter which you choose.
6. Scan the QR code with your phone.
7. Enter the 6-digit password generated by your authenticator app.
8. Finished! Now sign in as normal and you'll be asked to provide an authenticator code after you enter your initials and password.

Security Key

A security key is a USB-stick shaped device that avoids you putting in an OTP code by hand. You either plug it into your computer and press the button in order to authenticate, or you can use your phone's NFC capability to scan it.

There are dozens of these available. Yubikey is the best known brand, and a key goes for around £25-£50. The cheapest one is fine, so long as it does everything you want it to. (ie, scannable with NFC so you can use it on your phone)

Set up a security key at auth.redfightback.org.

1. Go to Signing In;
2. Go to Security Key;
3. Click the Context Menu (the three dots ... on the right hand side) and select "Set Up Security Key".
4. Plug in your security key. Windows may prompt you to "set it up" (give it a name). You can if you like, it's all editable later.
5. Log in to RFB Auth and then click "Register". A box will pop up asking "Please input your registered authenticator's label". Just leave it default.
6. Depending on the security key it will start flashing or beeping. Press the button on it.
7. Finished! Now sign in as normal and you'll be asked to plug in and press your security key after you enter your initials and password.

I'm Unable to 2FA; lost my device, etc

If you lose your phone, delete the authenticator app, lose your security key, etc you'll be unable to log in. However, having a System Admin change any of the information you have on RFB Auth deactivates your 2FA setup.

ie, If you change your initials, 2FA will be deactivated and you'll have to set it up again. This can probably be used if you lose access to your 2FA device.

Info on Choosing Passwords

The general rule of thumb for passwords is, the longer and more random the better. You can use a password manager like Bitwarden or the one built into Firefox to help keep track of extremely long, extremely random, unique passwords for each account you have.

Some helpful info:

• ArchLinux Wiki section on password security
• A generic online password generator - It's usually better to have a password generator + manager installed on your device rather than using one online or in a browser.
• Diceware Passphrase Generator - I'm not entirely sure how to use this, but it looks fun.

An Explanation of Auth Tokens

When you log in using RFB Auth, you get a 'token' back from the server. This token is just some data that says 'I'm X and I have permission to access this RFB stuff'. You can think of it like a rail ticket. When you want to go to an RFB service that requires a log in, you send your token along with the page request and it lets you in if it's valid, just like how you have to use your train ticket to get through the barriers to the platform. If you didn't have a token of some kind, you'd have to send your password every time, and this would be very annoying, in the same way that having to get cash out for every train barrier would be annoying.

You pay for the train ticket once, and then that ticket represents your payment, so that any barrier or conductor who sees your ticket is satisfied that you've paid. It's the same for an auth token: you login once, and then you get a token that represents that login, so that when the server sees this token it is satisfied that you logged in. The problem is that, just as someone can steal your train ticket and use it themselves when they haven't actually paid, someone can steal your auth token and use it themselves when they haven't actually logged in. The solution is similar too. A train ticket usually only works for a particular amount time, so yes someone might steal it, but they won't be able to use it forever, and they'll have to steal another ticket or pay themselves. It's the same for an auth token. Someone might steal the token, but if you set a time limit for it, that token can't be used forever, and they'll have to steal another token or log in themselves.