Page MenuHomePhabricator
Diviner Phabricator User Docs User Guide: Multi-Factor Authentication

User Guide: Multi-Factor Authentication
Phabricator User Documentation (Application User Guides)

Explains how multi-factor authentication works in Phabricator.

Overview

Multi-factor authentication allows you to add additional credentials to your account to make it more secure.

Once multi-factor authentication is configured on your account, you'll usually use your mobile phone to provide an authorization code or an extra confirmation when you try to log in to a new session or take certain actions (like changing your password).

Requiring you to prove you're really you by asking for something you know (your password) and something you have (your mobile phone) makes it much harder for attackers to access your account. The phone is an additional "factor" which protects your account from attacks.

How Multi-Factor Authentication Works

If you've configured multi-factor authentication and try to log in to your account or take certain sensitive actions (like changing your password), you'll be stopped and asked to enter additional credentials.

Usually, this means you'll receive an SMS with a authorization code on your phone, or you'll open an app on your phone which will show you a authorization code or ask you to confirm the action. If you're given a authorization code, you'll enter it into Phabricator.

If you're logging in, Phabricator will log you in after you enter the code.

If you're taking a sensitive action, Phabricator will sometimes put your account in "high security" mode for a few minutes. In this mode, you can take sensitive actions like changing passwords or SSH keys freely, without entering any more credentials.

You can explicitly leave high security once you're done performing account management, or your account will naturally return to normal security after a short period of time.

While your account is in high security, you'll see a notification on screen with instructions for returning to normal security.

Configuring Multi-Factor Authentication

To manage authentication factors for your account, go to SettingsMulti-Factor Auth. You can use this control panel to add or remove authentication factors from your account.

You can also rename a factor by clicking the name. This can help you identify factors if you have several similar factors attached to your account.

For a description of the available factors, see the next few sections.

Factor: Mobile Phone App (TOTP)

TOTP stands for "Time-based One-Time Password". This factor operates by having you enter authorization codes from your mobile phone into Phabricator. The codes change every 30 seconds, so you will need to have your phone with you in order to enter them.

To use this factor, you'll download an application onto your smartphone which can compute these codes. Two applications which work well are Authy and Google Authenticator. These applications are free, and you can find and download them from the appropriate store on your device.

Your company may have a preferred application, or may use some other application, so check any in-house documentation for details. In general, any TOTP application should work properly.

After you've downloaded the application onto your phone, use the Phabricator settings panel to add a factor to your account. You'll be prompted to scan a QR code, and then read an authorization code from your phone and type it into Phabricator.

Later, when you need to authenticate, you'll follow this same process: launch the application, read the authorization code, and type it into Phabricator. This will prove you have your phone.

Don't lose your phone! You'll need it to log into Phabricator in the future.

Factor: SMS

This factor operates by texting you a short authorization code when you try to log in or perform a sensitive action.

To use SMS, first add your phone number in SettingsContact Numbers. Once a primary contact number is configured on your account, you'll be able to add an SMS factor.

To enroll in SMS, you'll be sent a confirmation code to make sure your contact number is correct and SMS is being delivered properly. Enter it when prompted.

When you're asked to confirm your identity in the future, you'll be texted an authorization code to enter into the prompt.

SMS is a very weak factor and can be compromised or intercepted. For details, see: https://phurl.io/u/sms.

Factor: Duo

This factor supports integration with Duo Security, a third-party authentication service popular with enterprises that have a lot of policies to enforce.

To use Duo, you'll install the Duo application on your phone. When you try to take a sensitive action, you'll be asked to confirm it in the application.

Administration: Configuration

New Phabricator installs start without any multi-factor providers enabled. Users won't be able to add new factors until you set up multi-factor authentication by configuring at least one provider.

Configure new providers in AuthMulti-Factor.

Providers may be in these states:

  • Active: Users may add new factors. Users will be prompted to respond to challenges from these providers when they take a sensitive action.
  • Deprecated: Users may not add new factors, but they will still be asked to respond to challenges from exising factors.
  • Disabled: Users may not add new factors, and existing factors will not be used. If MFA is required and a user only has disabled factors, they will be forced to add a new factor.

If you want to change factor types for your organization, the process will normally look something like this:

  • Configure and test a new provider.
  • Deprecate the old provider.
  • Notify users that the old provider is deprecated and that they should move to the new provider at their convenience, but before some upcoming deadline.
  • Once the deadline arrives, disable the old provider.

Administration: Requiring MFA

As an administrator, you can require all users to add MFA to their accounts by setting the security.require-multi-factor-auth option in Config.

Administration: Recovering from Lost Factors

If a user has lost a factor associated with their account (for example, their phone has been lost or damaged), an administrator with host access can strip the factor off their account so that they can log in without it.

IMPORTANT: Before stripping factors from a user account, be absolutely certain that the user is who they claim to be!

It is important to verify the user is who they claim they are before stripping factors because an attacker might pretend to be a user who has lost their phone in order to bypass multi-factor authentication. It is much easier for a typical attacker to spoof an email with a sad story in it than it is for a typical attacker to gain access to a mobile phone.

A good way to verify user identity is to meet them in person and have them solemnly swear an oath that they lost their phone and are very sorry and definitely won't do it again. You can also work out a secret handshake in advance and require them to perform it. But no matter what you do, be certain the user (not an attacker pretending to be the user) is really the one making the request before stripping factors.

After verifying identity, administrators with host access can strip authentication factors from user accounts using the bin/auth strip command. For example, to strip all factors from the account of a user who has lost their phone, run this command:

# Strip all factors from a given user account.
phabricator/ $ ./bin/auth strip --user <username> --all-types

You can run bin/auth help strip for more detail and all available flags and arguments.

This command can selectively strip factors by factor type. You can use bin/auth list-factors to get a list of available factor types.

# Show supported factor types.
phabricator/ $ ./bin/auth list-factors

Once you've identified the factor types you want to strip, you can strip matching factors by using the --type flag to specify one or more factor types:

# Strip all SMS and TOTP factors for a user.
phabricator/ $ ./bin/auth strip --user <username> --type sms --type totp

The bin/auth strip command can also selectively strip factors for certain providers. This is more granular than stripping all factors of a given type. You can use bin/auth list-mfa-providers to get a list of providers.

Once you have a provider PHID, use --provider to select factors to strip:

# Strip all factors for a particular provider.
phabricator/ $ ./bin/auth strip --user <username> --provider <providerPHID>