What is two-factor authentication?
Two-factor authentication is an extra layer of security for accessing your Toshl user account. You would normally log in to Toshl with your email and password, or using the Facebook and Google log in options. That’s the first authentication factor.
When you activate two-factor authentication, Toshl will ask you for another code before you can log in. That authentication code is a 6-digit number, which you get from a special app on your phone or computer.
The authentication code is generated automatically according to an algorithm. Unlike your password, the authentication code changes every 30 seconds. That means you’ll always need the authentication app on your phone present to log in.
Why is two-factor authentication important?
It makes it much harder for someone to gain unauthorized access to your account. While protecting your account with a good password is usually enough, there can be circumstances where such an extra security barrier is very useful.
For example, if you used the same password on another service which gets hacked, the details can leak revealing your password. Perhaps someone can guess your password or gain access to your Facebook or Google account. In such cases, someone could try logging in with that password to Toshl as well.
If you have two-factor authentication enabled and set up on your phone, they would also need physical access to your unlocked phone to be able to log in, which would likely prevent them from accessing your Toshl account.
While two-factor authentication provides an important extra layer of security, it’s still important to take basic security precautions:
- Use hard to guess passwords, which are also long enough to be difficult to guess with automatic attempts.
- Do not use the same password on several services.
- Always log out of Toshl when using it on devices used by multiple people, or on devices which you leave unlocked.
- Lock your devices with a code/password.
How do I set up two-factor authentication?
- Go to toshl.com and Log in.
- Go to user settings (Me) in the main menu and turn ON the option Two-factor authentication.
- A wizard will open, guiding you through the process.
- Download an authentication app on your phone.
- Add a new code in that app by scanning the QR code on your screen.
- Download the file with recovery codes. This is important. In case you lose your phone, these codes will enable you to log in. Save them in a safe place.
- Type in the newly generated code to Toshl to confirm all is working well and finish activating two-factor authentication.
- Great success! Much rejoicing. 2-factor authentication is now active whenever you log in.
What are these authentication apps? Which ones can I use with Toshl?
This kind of two-factor authentication follows a common standard, so there are a whole bunch of apps which can help you with generating these authentication codes, once you set it up like described above.
Below are some popular authentication apps that we found useful. You can use others as well, just make sure you pick one from a trustworthy developer.
Google Authenticator (Android, iOS)
Microsoft Authenticator (Android, iOS, Windows Phone)
Authy (Android, iOS)
Password managers with support for two-factor authentication codes
Do I have to enter this every time? Which Toshl apps demand the extra code?
You have to enter the code every time you log in, provided you were logged out before.
The web app will require the extra code whenever you log in anew. If you check the “Remember me” option when logging in, Toshl won’t request the two-factor code until the next time you Log out, or the session expires. So if you log in using “Remember me” then just close the browser without logging out, you likely don’t need to enter it again the next time you open toshl.com.
The mobile app will also require the extra code whenever you log in anew. So you just enter the two-factor code the first time you log into the app, then your log in is remembered unless you log out in user settings (Me) of the mobile app.
If you re-install the app or log out, you will need to enter it again.
It’s a good idea to lock the Toshl app with a passcode or fingerprint as well as your entire phone.
What if I lose my phone or accidentally delete the authentication app?
Try not to (👨✈️ salute to Captain Obvious). If you do, you can log in using the recovery codes you saved during the set up process.
It’s very important to save the recovery codes and store them in a safe place. Save them on your computer, external drive or even print them out, if you’re more certain you’ll find them that way later on.
When Toshl asks you for the authentication code, click the option to log in using recovery codes. Enter it and log in. Each code can only be used once, so you have 10 log-ins with the codes available altogether.
If you permanently lost your phone or deleted the authentication app, go to user settings (Me), deactivate the two-factor authentication, then set it up again using the new device/app.
Why not send authentication codes via SMS?
We realize that’s what a lot of other services do, but that way is less secure. It depends on your mobile phone service provider, but in lots of cases it didn’t take much social engineering for dedicated hackers to convince them to transfer the phone number to another SIM card. That way, your authentication codes could be intercepted without you even knowing. There have been cases of this happening in the past.