Two-Step Verification is an increasingly popular form of two-factor authentication, where added account security is provided by requiring demonstration of the possession of a “thing” in addition to knowing a password. In this, case, the thing is your iOS device, and possession of it is proven to the target site by entering a two-step verification token (set of digits) that changes every 30 seconds. Since the only practical way of knowing this changing number is to posses a device that can calculate it , a second level of assurance that “you are who you say you are” is provided. With two-step verification enabled, someone could know your password, and still be unable to assume your identity on a given site, because the site will not log you in unless you also enter the time-based “one time password”.
Two step verification however requires that the site support it.
Although the passQi account detail screen for every site includes the button to Scan for a Two-Step Verification Code (the first step in enabling this feature), it naturally will only work with sites that provide support for it.
It is generally enabled by choosing a security option in your site account profile once you have logged in normally. This will trigger a series of steps which vary from site to site, but which are designed to establish a “shared secret” which forms the basis for calculating the time-based one time password. Because the two-step verification capability was popularized by Google with their Google Authenticator app, many sites prompt you to scan the QR code with “Google Authenticator”. However, it is a standards based feature, and passQi (as well as other authenticator apps) will integrate in precisely the same way as the original Google Authenticator app, with passQi having the added feature of supporting automatic submission of the code.
Two step verification is sometimes referred to by its more technical shorthand name, TOTP (Time-based One Time Password).
Once the code is established, it will be necessary to “recognize” the page that requires it on login, similarly to the way that a login page must be recognized. Many top sites supporting Two Step Authentication are automatically recognized by the passQi cloud, so they will automatically provide the Two Step Verification code. However, if the site or page is not recognized, passQi will attempt to interpret it, but only if passQi is bridged, and the scan occurs on a target site whose domain is the same as the most recent login — as a Two-Step verification code will only be displayed after (or at the same time) as a login is made.
Two-step verification pages that are not correctly recognized, please email firstname.lastname@example.org as it is generally possible for the passQi team to manually construct a custom “recognizer” and store it in the cloud where it will be used automatically.
When you tap the “Scan Two Step Verificaiton Code” and are placed in the scanner, the lower right button is titled “Options.” Note that in addition to scanning the TOTP secret, you may type or paste the secret if it is provided you as a sixteen character “base 32” number. Dashes and spaces are ignored.
You may also copy the secret out of any account which has a two-factor secret in the Vault; when you tap the circle-x next to the displayed one-time code, you have the option of either disabling the code, or simply copying the secret to the clipboard if you wish to move it to another authenticator or, possibly, an account that is linked to the same login URL but enters from a different domain in a two-page authentication process.