Hi folks! We just released *optional* two-factor auth support for Clojars to improve account security. The details are available at https://github.com/clojars/clojars-web/wiki/Two-Factor-Auth, the contents of which I have included below for convenience.
Please file an issue at https://github.com/clojars/clojars-web/issues if you run into any problems with using it or have any suggestions to make it better! - The Clojars Team --- Clojars supports requiring [two-factor authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication) to log in that is configured on a per-account basis. ## Enabling it Clojars uses time-based one-time passwords (TOTP) to implement two-factor auth. To use it, you will need a device capable of generating TOTP codes. There are several applications for mobile phones (search for "TOTP" or "two-factor" in your app store). Password storage applications (such as [KeePassXC](https://keepassxc.org/) or [1Password](https://1password.com/)) also provide TOTP generation, but keep in mind that having a single application/device supplying your password and TOTP code somewhat defeats the purpose of two-factor auth. Once you have a device that can generate TOTP codes, you will need to enable it on Clojars and link your device to your Clojars account. 1. Visit <https://clojars.org/mfa/> 2. Enter your password 3. You will be presented with a QRCode to scan with your device. If you are using a device where you can't scan the QRCode, you can copy and paste the shared key instead. 4. Once you have set up your device, you will be asked to enter a code generated by your device. This is used to verify that the setup is correct, and **two-factor auth will not be enabled on your account until you enter a correct code**. 5. Once you have verified your setup, two-factor auth will be enabled for your account and you will be presented with a one-time use recovery code. **Save this code somewhere safe.** This code can be used in place of a TOTP code when logging in, but only once. Using this recovery code will *disable* two-factor auth on your account, requiring you to set it up again. ## Logging in with a two-factor/TOTP code To log in, you will need to provide your password and a TOTP code on the login page. Note that TOTP codes are dependent on the clock on the device being relatively close to the clock on the server. If there is any skew there, it's possible for the code to be rejected. If your code is rejected, please try again with a code that has several seconds remaining on its validity. ## Recovery As noted above, you will receive a recovery code when you set up your two-factor authentication. If you lose access to your two-factor device, you can use this code to log in. Doing so will automatically disable your two-factor auth on your account. **It is important that you keep this code, as it may be difficult for the Clojars admins to verify your identity to disable two-factor auth on your behalf**. ## Deploying after enabling two-factor auth Once you enable two-factor auth, you *must* use a [deploy token](https://github.com/clojars/clojars-web/wiki/Deploy-Tokens) to deploy artifacts. -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/clojure/CAA3HuyafZkSrdjuWM4NwnKpYO0XK%2BtC1EHch%3Dg3kA0DN2g%3DGkA%40mail.gmail.com.
