Already have passQi on your iPhone?
Drag the button on the right, and drop it onto the bookmark bar of your browser -

Show me!

Setting Up Two-Step Verification (passQi+ only)

Setting Up Two-Step Verification (passQi+ only)

What is it?

Two-Step Verification is an increasingly popular form of two-factor authentication, where added account security is provided by requiring demonstration of the possession of a “thing” in addition to knowing a password. In this, case, the thing is your iOS device, and possession of it is proven to the target site by entering a two-step verification token (set of digits) that changes every 30 seconds. Since the only practical way of knowing this changing number is to posses a device that can calculate it , a second level of assurance that “you are who you say you are” is provided. With two-step verification enabled, someone could know your password, and still be unable to assume your identity on a given site, because the site will not log you in unless you also enter the time-based “one time password”.

Two step verification however requires that the site support it.

Although the passQi account detail screen for every site includes the button to Scan for a Two-Step Verification Code (the first step in enabling this feature), it naturally will only work with sites that provide support for it.

It is generally enabled by choosing a security option in your site account profile once you have logged in normally. This will trigger a series of steps which vary from site to site, but which are designed to establish a “shared secret” which forms the basis for calculating the time-based one time password. Because the two-step verification capability was popularized by Google with their Google Authenticator app, many sites prompt you to scan the QR code with “Google Authenticator”. However, it is a standards based feature, and passQi (as well as other authenticator apps) will integrate in precisely the same way as the original Google Authenticator app, with passQi having the added feature of supporting automatic submission of the code.

Two step verification is sometimes referred to by its more technical shorthand name, TOTP (Time-based One Time Password).

How to enable it

  • While the user steps may vary, the common feature for enabling Two-Step Verification is to first, scan a QR code generated by the target site, which will establish a “shared secret” that forms the basis for calculating a unique one-time password each time you log in.
  • To associate the code for a given site, you must first create an entry for the site in the vault, by logging
    in using passQi.
  • Tap on the Vault entry for the site, and display the account detail screen used for editing the username and password, and tap the Scan for a Two-Step Verification Code button.
  • This will call up the scanner view, and you when you scan the two-step verification QR code displayed by the site, a page will be displayed which displays the current one-time password. Usually, the site will ask you for the current code value to confirm that the scan has completed correctly.
  • Note that if you scan the QR code from the primary passQi scan view, this will generate an error alert; this is because the code being scanned must first be associated with a specific site and username.

Once the code is established, it will be necessary to “recognize” the page that requires it on login, similarly to the way that a login page must be recognized. Many top sites supporting Two Step Authentication are automatically recognized by the passQi cloud, so they will automatically provide the Two Step Verification code. However, if the site or page is not recognized, passQi will attempt to interpret it, but only if passQi is bridged, and the scan occurs on a target site whose domain is the same as the most recent login — as a Two-Step verification code will only be displayed after (or at the same time) as a login is made.

Two-step verification pages that are not correctly recognized, please email totp@passqi.com as it is generally possible for the passQi team to manually construct a custom “recognizer” and store it in the cloud where it will be used automatically.

Options

When you tap the “Scan Two Step Verificaiton Code” and are placed in the scanner, the lower right button is titled “Options.” Note that in addition to scanning the TOTP secret, you may type or paste the secret if it is provided you as a sixteen character “base 32” number. Dashes and spaces are ignored.

You may also copy the secret out of any account which has a two-factor secret in the Vault; when you tap the circle-x next to the displayed one-time code, you have the option of either disabling the code, or simply copying the secret to the clipboard if you wish to move it to another authenticator or, possibly, an account that is linked to the same login URL but enters from a different domain in a two-page authentication process.