Enabling Multifactor Authentication

Multifactor Authentication is a way to increase the security of your account that requires you to enter additional one-time passcodes before you can gain access to your DreamHost account. It's a smart move that can help to protect you from hackers and website hijackers.

At DreamHost, we're proud to provide you the choice to use either the Google Authenitcator app or a Yubikey with the DreamHost panel. We've picked the Google Authenticator app because it's available on Android devices, iOS devices like the iPhone, BlackBerry devices, and even on Windows Phone via 3rd party apps. We picked YubiKey because it's a cheap, small, and durable hardware device with quite flexible configuration that can be set up to be used to keep many sites secure for you, not just our panel.

Take a look at the instructions below and we'll walk you through it, or check out our Multifactor Authentication FAQ for more information!

Getting Started

Getting the Google Authenticator App

Before you can enable Multifactor Authentication on your DreamHost account, you'll need to install the Google Authenticator app on your smartphone or tablet device.

Google's official documentation on downloading and installing the app can be found here: http://support.google.com/accounts/bin/answer.py?hl=en&answer=1066447.

The app can be downloaded from your device's App Store (or use Google's direct link for BlackBerry):

• Android devices: Google Play
• iPhone, iPad, or iPod Touch: iTunes App Store
• BlackBerry devices: Google Authenticator Download (visit from your BlackBerry device)
• Windows Phone: Microsoft Authenticator (Official Microsoft App), Authenticator+ (Third Party Open Source)

Getting A YubiKey

If you choose to use a YubiKey to secure your DreamHost account, you'll need to get the hardware first. Click here to purchase a YubiKey. You'll need to make sure your YubiKey is configured to use "Yubico OTP". It should come preconfigured this way, but if you need to set it up yourself download the Cross-Platform Personalization Tool to reprogram it.

1. Plug in your YubiKey and open up the personalization tool
2. Click on Yubico OTP in the upper left corner.
3. Click on Quick

   You should see something like the following:

   

4. Select Configuration Slot 1
5. Click on Write Configuration to give your YubiKey the new configuration
6. Click on Upload to Yubico to tell Yubico's verification servers about your key's new configuration.

Turn On Multifactor Authentication

1. Once you have the Google Authenticator App installed, log in to the panel and go to the Security tab in "Billing & Account" on the left hand side.

   The second section on that page is titled Multifactor Authentication.

   

2. Enter your DreamHost account password in the Current Password field.
3. Use the Multifactor Authentication Type drop-down list to choose the multifactor authentication method you would like to use.

   We recommend either YubiKey or Google Authenticator with time-based one-time passcodes. Time-based codes provide better protection against phishing and keyloggers since each code is only valid for a short amount of time. Time-based codes also automatically stay in sync with our servers, as opposed to counter-based codes which require manual syncing.

   If you use counter-based codes, you will need to press the refresh button next to the code in the Google Authenticator App each time you use it to advance it to the next code.

4. Click the Get Started button.

   Google Authenticator Only: You will now see a QR Code and a 16-digit Secret Key that you will need to activate Multifactor Authentication.

   

   1. Use the Google Authenticator App to scan the QR code. If your device does not have a camera you can enter the 16-digit Secret Key shown below the QR code into the app manually. If you have more than one device running Google Authenticator, scan the QR code or enter the key on every device that you want to use with this dreamhost account.
   2. The Google Authenticator app will display a 6-digit passcode. Enter the 6-digit passcode in the Passcode field.

      If you are using counter-based codes you may need to press the refresh button to display the first code

      

   YubiKey Only: You won't see any QR code or secret key...just a box to put a passcode in:

   

   1. Plug in your YubiKey and touch the disk. It should type 44 letters in the "Passcode" field.
5. Click the Activate! button and we'll make sure our servers are properly synced with your phone.

   Your account now has Multifactor Authentication enabled.

   

   If you suspect your account may be compromised (for example if you have lost your phone or mobile device), and you're using Google Authenticator, you can use the Regenerate Key button to invalidate the old key and create a new one.

6. Write down the 5 backup scratch codes presented when you successfully enable Multifactor Authentication -- they will let you get access to your account if your Multifactor Auth device ever gets lost or broken. We won't show these again, so make sure you write them down now. If they get lost or stolen (you just forgot to write them down, didn't you?) click the Regenerate Scratch Codes button to invalidate all the old codes and make a new set.

Changes to Login with Multifactor Authentication Enabled

Once you've enabled Multifactor Authentication, you'll notice changes to the Login screen and the steps necessary to access your account.

Your Login screen will look like this:

You will now see a Multifactor Authentication Code field which you will use to enter the 6-digit passcode generated by your mobile device, and a Remember this computer? drop-down which will save you the step of generating and entering a passcode for either 1 week, or 1 month.

If you choose one of the options from the Remember this computer? drop-down such as 1 month, and log in during the time period you've selected, instead of the Multifactor Authentication Code field you will see a message indicating that your computer has already been verified.

After the time period you have selected expires, you will once again see the Multifactor Authentication Code field.

Changes When Logging in from a New Computer

Multifactor Authentication uses browser cookies to function, so if you try to log in from a new computer that has never been logged into DreamHost before, the Multifactor Authentication Code field will not initially be visible, and your first log in attempt will fail. After that first attempt, DreamHost will identify your account and make the Multifactor Authentication Code field visible so that you can log in.

This error message will appear the first time you log in with a new computer or if you do not enter a Multifactor Authentication Code:

Account Recovery with Multifactor Authentication

If you lose your Google Authenticator device you will need to use a scratch code or write in to support to regain access to your account, so keep your scratch codes somewhere safe! If you forget your password but still have your Google Authenticator device (or a valid scratch code) you can still click on the "forgot password?" link on the login page:

Clicking this link will bring you to a form that asks for your e-mail address. Once you submit the form we will send you a link that you can use to reset your password, as long as you still have your second authentication factor available.