Two-factor authentication (2FA) adds an extra layer of security to Manuscript On Demand by requiring an automatically generated access code in addition to your password when you log in. With 2FA enabled, you can rest easy: Only you can log into your On Demand account, even if your password is compromised or stolen.
Here’s how it works:
- Whenever you log on to Manuscript or Kiln, you’ll be prompted to enter a verification code.
- You’ll generate your code using an authentication app on your mobile device, or use one of your backup codes if necessary.
- Enter the code; that’s it! You’ll be logged on as usual, with added peace of mind.
How To Enable Two-Factor Authentication
Step 1: Download and install an authentication app
Before you set up two factor authentication, you’ll need to download and install an authentication app on your mobile device.
Manuscript 2FA can be used with most Time-Based, One-Time Password (TOTP) applications. We’ve confirmed these:
- iPhone — Google Authenticator, Authy
- Android — Google Authenticator, Authy
- Windows Phone — Microsoft Authenticator
Step 2: Enable two-factor authentication
- Head over to the User Options page (Avatar menu > User Options)
- Click Enable Two-Factor authentication
- Add a new account to your authentication app — in most apps, you can do this by tapping a + or … icon
- Scan the QR code, or enter the details by hand if necessary
- On the 2FA configuration page, enter the 6-digit code generated by your authentication app
- Click Verify Code
- The next page contains your backup codes. Keep them somewhere safe so you can still log on if you lose your phone. Hint: do not store them somewhere protected by the same password you use for Manuscript
What else happens once 2FA is enabled?
- When you first enable 2FA, all existing tokens and sessions (other than the current one) will be invalidated
- The Manuscript logon API command will no longer work; see how to obtain a token for the Manuscript API
- Kiln repositories must be accessed via SSH
- The Kiln Client Tools path-guessing feature is disabled (this will be restored in a future release)
Can I receive a text message with my code rather than opening an app each time I want to log in?
Not currently. Let us know if you do not have a smartphone and need SMS support.
I can’t get a working access code. How do I log on?
If you lose your phone, deleted your authentication app, or can’t get the codes to work, you can use one of your backup codes to sign in. These were provided to you after you set up two-factor authentication for your account. Note that each backup code can only be used once, but you can regenerate your backup codes on the User Accounts page. If you don’t have access to your backup codes, contact a Site Admin and have them manually disable two-factor authentication for your account.
I’m an Admin. How can I disable 2FA for a user?
On the Users page (Avatar menu > Users), edit the user, then click on the link to disable 2FA.
I’m an Admin. Can I require that all users enable 2FA or enable it for them?
Two-factor authentication is currently a per-user feature which must be enabled by each user. There is not currently a way to require 2FA for all accounts.
I’m using Android, and having trouble verifying my Access Codes. What’s the solution?
This might be because the time on your Google Authenticator app is not synced correctly. To make sure that you have the correct time:
- Go to the main menu on the Google Authenticator app
- Click Settings
- Click Time correction for codes
- Click Sync now
On the next screen, the app will confirm that the time has been synced, and you should now be able to use your verification codes to sign in. The sync will only affect the internal time of your Google Authenticator app, and will not change your device’s Date & Time settings.