October 1, 2018
We’ve added a new feature to improve the security of your .gov registrar account: 2-step verification.
- What is 2-step verification?
- Why is this change happening?
- What does this change mean for me?
- How do I set up 2-step verification?
What is 2-step verification?
A password is all that protects your account right now, and passwords can be easier to obtain than you might think.
2-step verification adds another step to the login process. After you enter your password, you’ll be asked for a passcode from your mobile device. This raises the stakes for someone who wants to get into your account because now they have to get your password and your phone.
Why is this change happening?
Though you might only change your .gov domain or account information infrequently, someone with your password could sign in at any time and make changes. This extra layer of security makes it harder for someone to log in as you, which protects the services you make available to the public via a .gov domain.
What does this change mean for me?
You will need to add 2-step verification to your account at https://domains.dotgov.gov. The feature will be rolling out gradually following the schedule below. Please note:
- The first date is the initial time you can add 2-step verification to your account.
- Between the two dates, if you’re not ready to add 2-step verification, you’ll be able to select “Remind me later”.
- The second date is the enforcement date. On this date and after, you must enable 2-step verification on your account to manage your domain.
- GSA-owned domains: October 1 - 31
- Federal Agency: February 4, 2019
- Native Sovereign Nation: October 8 - November 7
- County: October 22 - November 21
- State/Local Govt: November 5 - December 5
- City: Done in phases, based on the first letter of your username:
- A - D: November 19 - December 19
- E - J: December 5 - January 9, 2019
- K - P: December 17 - January 23, 2019
- Q - Z: January 14, 2019 - February 13, 2019
How do I set up 2-step verification?
In order to set up 2-step verification, you will need to use an authentication app to generate security codes. DotGov will only provide customer support for Google Authenticator, but any application that implements the time-based one-time password (TOTP) standard will also work.
Here’s how to set up 2-step verification with Google Authenticator:
- Download the Google Authenticator app (Android, iOS) on your mobile device. (Note that your organization might have rules about whether this app should be installed on your personal or your work device.)
- On your computer, log in to the .gov registrar at https://domains.dotgov.gov.
- Once logged in, click on Account in the left navigation, then select Setup 2-step Verification.
- Open the Authenticator app on your device and select Begin Setup (or ‘+’ if you’ve used the app before), then tap Scan Barcode, and point your device’s camera at the the QR code on the screen. You should see an entry for the .gov Registrar added in Authenticator.
- Type the six-digit code displayed on your device in the One time password field.
Your account now has 2-step verification enabled! From now on, after you log in with your password, you will need to enter the six-digit code from your authentication app.
- Who does this change affect?
- What is an authentication app?
- Is there a cost for an authentication app?
- I do not have a smartphone. What other options do I have?
- Do authentication apps need an internet connection to function?
- I have a new phone. How do I switch devices?
- I’ve lost my phone! How do get back into my account?
- I have a question that isn’t listed. Who should I contact?
Who does this change affect?
All user accounts will be required to use 2-step verification. If any of your domain points of contact (POC) are unable to use an authentication app, you will need to assign a new point of contact.
What is an authentication app?
Authentication apps generate security codes for signing in to sites that require a high level of security. You can use these apps to get security codes even if you don’t have an internet connection or mobile service. A mobile phone app is the typical example of an authentication app, but other forms exist, including applications for desktops, browser extensions, and physical hardware.
Any application that implements the time-based one-time password (TOTP) standard and can use a QR code or accept a manually entered key will also work. DotGov will only provide customer support for Google Authenticator mobile applications.
After installing and configuring the application to work with the registrar, you will be able to receive security codes for your account. Some options for authentication apps include:
- Android options: Google Authenticator, 1Password, Authy, LastPass
- iOS options: Google Authenticator, 1Password, Authy, LastPass
- macOS apps: 1Password, OTP Manager
- Windows apps: 1Password, OTP Manager
- Chrome extensions: Authenticator
- TOTP hardware: Protectimus Slim mini, Token2 miniOTP-1
Is there a cost for an authentication app?
Google Authenticator is free to download, and is the only application that DotGov will field customer support for. Other apps may have a cost.
I do not have a smartphone. What other options do I have?
All users are required to use 2-step verification. If you are unable to use a smartphone, you should explore other authentication app options available, but note that we will only field customer support for Google Authenticator.
Do authentication apps need an internet connection to function?
No. An internet connection is required to download an app (like Google Authenticator), but using it does not require an active connection.
I have a new phone. How do I switch devices?
If you have the old phone, log in to your account, click on ‘Account’, then select ‘Update 2-step verification.’
If you’re updating 2-step verification to a new device and you have access to the old one, consider deleting the old device’s “.gov Registrar” entry so you aren’t confused in the future.
I’ve lost my phone! How do get back into my account?
If you are unable to access your device, you should contact the .gov Help Desk.
I have a question that isn’t listed. Who should I contact?
Contact the .gov Help Desk for additional support.