Two-factor authentication (2FA) adds an extra layer of security to FogBugz On-Demand by requiring an automatically generated access code in addition to your password when you log in. With 2FA enabled, you can rest easy; only you can log into your On-Demand account, even if your password is compromised or stolen.
How 2FA Works
Whenever you log in to FogBugz or Kiln, you will be prompted to enter a verification code.
You need to generate your code using an authentication app on your mobile device or use one of your backup codes.
Please enter the code; that’s it! You will be logged in as usual.
Enabling Two-Factor Authentication
- Download and install an authentication app on your mobile device.
FogBugz 2FA can be used with most Time-Based One-Time Password (TOTP) applications. You can use one of the following apps:
- Enable two-factor authentication:
Navigate to the User Options page (Avatar menu > User Options).
Click Enable Two-Factor authentication.
Add a new account to your authentication app (in most apps, you can do this by tapping a + or ellipsis (…) icon).
Scan the QR code or enter the required details manually.
On the 2FA configuration page, enter the 6-digit code generated by your authentication app.
Click Verify Code.
The next page contains your backup codes. Keep them somewhere safe to be able to log in if you lose your phone.Note: Do not keep the backup codes protected with the same password that you use for FogBugz.
What else happens once 2FA is enabled?
- When you first enable 2FA, all existing tokens and sessions (other than the current one) will be deactivated.
- FogBugz login API command will no longer work; see how to generate an API token.
- Kiln repositories must be accessed via SSH.
- The Kiln Client path-guessing feature is disabled (this will be restored in a future release).
Can I receive a text message with my code rather than opening an app each time I want to log in?
Answer: This option is currently not available. Let us know if you do not have a smartphone and need SMS support.
I cannot get a working access code. How do I log in?
Answer: If you lost your phone, deleted your authentication app, or cannot get the codes to work, you can use one of your backup codes to sign in. They were provided to you after you set up two-factor authentication for your account. Note that each backup code can only be used once. However, you can regenerate your backup codes on the User Accounts page. If you do not have access to your backup codes, contact a Site Admin and have them manually disable two-factor authentication for your account.
I am an Admin. How can I disable 2FA for a user?
Answer: On the Users page (Avatar menu > Users), edit the user, then click on the link to disable 2FA.
I am an Admin. Can I request that all users enable 2FA or enable it for them?
Answer: Two-factor authentication is currently a per-user feature that must be enabled by each user. Currently, there is no option to make 2FA mandatory for all accounts.
I am using Android and having trouble verifying my Access Codes. What is the solution?
Answer: This issue might be caused by the fact that the time in your Google Authenticator app is not synced correctly. To synchronize it, please follow the steps below:
- Go to the main menu in the Google Authenticator app.
- Tap Settings.
- Tap Time correction for codes.
- Tap Sync now.
On the next screen, the app will confirm that the time has been synced, and you should be able to use your verification codes to sign in. The sync will only affect the internal time of your Google Authenticator app. It will not change the time settings on your device.
I am using iOS and having trouble verifying my Access Codes. What is the solution?
Answer: This issue might be caused by the fact that the time on your Authenticator app is not synced correctly. To synchronize it, please follow the steps below:
- Go to iOS Settings.
- Go to the General section.
- Tap Date and Time.
- Turn off the Set Automatically option for a few seconds.
- Turn it back on.
This will sync the time for the Authenticator app; you should be able to use your verification codes to sign in.