Help

Help

2-factor-authentication:

Help Guide (PDF)

ConcertDirectory requires all users to have 2-Factor Authentication (2FA in short) on their account. 2FA is an additional step when logging in, where a code is generated, and entered to confirm that it is the real owner of the account that logs into the website. This is a very good step in keeping your account secure. Many websites and platforms on the Internet require 2FA on their user's accounts.

How does it work:

We implement the standard TOTP-protocol. This protocol is supported by 10 000s of websites and is thus a very stable protocol. This protocol is supported by apps like Google Authenticator, Microsoft Authenticator, Adobe Authenticator and various other apps (from lesser known developers). You might already have one of these apps on your phone; if not they are all Free on your App Store. If you don't have a "smart phone", you can even get Windows software which will be able to handle this for you. In addition many Password Managers may also be able to work to generate the codes.

When you set up the 2FA on a website, the website will generate a random code, called a secret. This secret is shared with you only once (typically in the QR-code shown) - it will never be re-transmitted (instead a new one will be generated). You Authenticator app will read the contents of the QR-code and extract the secret from it. From then on, every 30 seconds a new code will be generated (by using a hashing function), based on this shared secret, and only a specific part of the result is shown to you to enter. Since the server does exactly the same hashing function (with the same secret), it knows that you have had the original shared secret, and thus you can log in. Since only a small part of the actual result from the hashing function is shown, it is virtually impossible to guess the next code in the sequence and thus remains secure.

Since no code is transmitted when you are logging in, the code can't be intercepted by a 3rd party, (something that happens with emails and SMSs). Further since only you have access to the app storing the shared secret (and these apps typically have biometric protection, like Facial Recognition, Fingerprint or an extra code that only you know, to open them), this 2FA code is only shown when you want to log in. This is in contrast to other 2FA protocols where you get a push notification from the app, to approve the login (which is recent years have started to become exploited by an attack called "2FA Fatigue" -> an attacker constantly tries to login, to the point where the owner is bombarded by so many notification that they allow the login).

At the time of 2FA setup, a few extra keys are also generated, these are longer, and should be stored safely. Should you lose access to your app with the shared secret, these keys can be entered in stead. Each key can only be used once. This will allow you to reset your 2FA secret, and continue using your account.

How do I enable 2FA:

When you register, you will receive a confirmation email which will confirm your email to be valid; note that we require valid email addresses, and accounts with inactive email addresses may be removed with no further warning (since we can't contact you).

After you login, if you do not have 2FA enabled, it will automatically direct you to where you can setup 2FA. Note that you cannot do anything without first activating the 2FA on your account. Follow the prompts to setup and enable 2FA. You will be presented by the QR code, and the secret, which you can use to setup your app. After this, the app will generate a code, which you will need to enter in the provided space. If the code match what the server calculated, 2FA is now enabled and you are shown the recovery keys (please store them safely) and then you can continue to use the platform.