.. _2fa: ===================== Secure authentication ===================== To further protect subjects' personal data against compromised or weak passwords, Castellum can *and should* be used with two-factor authentication (2FA). If enabled, you need to enter an additional code before you can log in to Castellum (similar to a TAN for online banking). Currently we support any generic TOTP application or FIDO2 hardware security tokens. Smartphone apps (TOTP) ====================== We recommend to use a 2FA application on your phone. Just ask your local IT on suggestions for appropriate apps to be used at your institution. .. admonition:: Example By the time of writing (June 2021) the MPI for Human Development recommends its Castellum users to install either `Google Authenticator `_ or `andOTP `_ for Android or `Microsoft Authenticator `_ on iOS. TOTP stands for “Time-based One-Time Password”. As the name suggests, each TOTP code can only be used once. Most TOTP apps work the same: 1. Install an authenticator app on a phone 2. Register that phone on the website (Castellum) by scanning a QR code with the authenticator app 3. The app will now generate a new 6-digit numeric code every 30 seconds 4. The code depends on the current time, so make sure that the phone has the correct time set Hardware Keys (FIDO2) ===================== If you do not want to use your phone and TOTP, you can also chose to use FIDO2-based hardware keys (tokens). In that case we recommend `Yubico FIDO2 tokens `_, but any FIDO2-compatible token should work. The tokens are connected to your device with USB and, when registered successfully, usually just require a tap / key press when prompted on login. For additional details about supported hardware tokens or Authenticator apps, contact your local IT department or security officer.