Two-Factor Authentication (2FA) adds an extra layer of security to FogBugz On Demand by requiring an automatically generated access code in addition to your password when you log in. With 2FA enabled, you can rest easy: only you can log into your On Demand account, even if your password is compromised or stolen.
How It Works
- Whenever you log on to FogBugz or Kiln, you will be prompted to enter a verification code.
- You will generate your code using an authentication app on your mobile device or use one of your backup codes if necessary.
- Enter the code, and you will be logged on as usual, with added peace of mind.
Enabling Two-Factor Authentication
Part 1 - Download and Install an Authentication App
Before you set up two-factor authentication, you will need to download and install an authentication app on your mobile device. FogBugz 2FA can be used with most Time-Based, One-Time Password (TOTP) applications. We have confirmed these:
- iPhone — Google Authenticator, Authy
- Android — Google Authenticator, Authy
- Windows Phone — Microsoft Authenticator
Part 2 - Enable Two-Factor Authentication
- Navigate to the User Options page (Avatar > Options).
- Click Enable two-factor authentication.
- Add a new account to your authentication app — in most apps, you can do this by tapping a + or … icon.
- Scan the QR code, or enter the details by hand if necessary.
- On the 2FA configuration page, enter the 6-digit code generated by your authentication app.
- Click Verify Code.
The next page contains your backup codes. Keep them somewhere safe so you can still log on if you lose your phone.
NOTE: Do not store them somewhere protected by the same password you use for FogBugz.
What else happens once 2FA is enabled?
- When you first enable 2FA, all existing tokens and sessions (other than the current one) will be invalidated.
- The FogBugz login API command will no longer work; see how to obtain a token for the FogBugz API.
- Kiln repositories must be accessed via SSH.
- The Kiln Client Tools path-guessing feature is disabled (this will be restored in a future release).
Can I receive a text message with my code rather than opening an app each time I want to log in?
Not currently. Let us know if you do not have a smartphone and need SMS support.
I cannot get a working access code. How do I log on?
If you lose your phone, deleted your authentication app, or cannot get the codes to work, you can use one of your backup codes to sign in. These were provided to you after you set up two-factor authentication for your account.
NOTE: Each backup code can only be used once, but you can regenerate your backup codes on the User Accounts page. If you do not have access to your backup codes, contact a Site Admin and have them manually disable two-factor authentication for your account.
I am an admin. How can I disable 2FA for a user?
On the Users page (Gear > Users), edit the user, then click the link to disable 2FA.
I am an admin. Can I require that all users enable 2FA or enable it for them?
Two-factor authentication is currently a per-user feature that must be enabled by each user. Currently, there is no way to require 2FA for all accounts.
I am using android, and I am having trouble verifying my access codes. What is the solution?
This might be because the time on your Google Authenticator app is not synced correctly. To make sure that you have the correct time:
- Go to the main menu on the Google Authenticator app.
- Click Settings.
- Click Time correction for codes.
- Click Sync Now.
On the next screen, the app will confirm that the time has been synced, and you should now be able to use your verification codes to sign in. The sync will only affect the internal time of your Google Authenticator app, and will not change your device’s Date & Time settings.