In today's world where much of our data is stored online, it's important to keep our 2FA recovery codes secure to prevent common potential security threats.
OpsCompass added two-factor authentication (2FA), also known as MFA (multi-factor authentication), as a requirement for all user accounts. You are already likely using 2FA for both personal and work accounts and are likely aware of not only how it works but also why it is an important security measure. However, it bears repeating that stolen credentials and password reuse remain a common attack vector that can adversely impact you and/or your organization.
2FA complicates attacks by requiring two different authentication factors:
1.Something you know (password, personal identification number (PIN))
2. Something you have (hardware token, phone)
3. Something you are (biometrics)
OpsCompass largely transfers support of these authentication factors onto your organization by supporting cloud-based identity providers. Most OpsCompass users are using their organization’s cloud-based identity providers (such as Google and Microsoft logins) and may already have 2FA as an internal requirement.
Using cloud-based identity providers allows you to centrally manage users, and to an extent determine outside of our system, whether or not a user can login. This approach, when combined with our internal user and team management functionality, transfers the vast majority of user management to the customer. Moving away from password-based authentication means that we have less risk, but it also helps ensure that the customer is better able to manage their assets while reducing the risk that is transferred externally. Of course, this does not absolve OpsCompass from having an important role in identity management.
Since OpsCompass is not aware of your internal requirements and we are responsible for access to sensitive cloud infrastructure configuration data, we want to ensure that we are doing the utmost to protect user credentials and your organizational data. A reasonable addition to serve this goal is support of 2FA and requiring that of all users. By requiring 2FA, we are further aiding customers with enforcement of best practices regarding access control and identity management.
What can you do?
Since your password is "something you know", it is best to store your 2FA recovery code as "something you have". These can be:
1. Taking note (paper, notepad) of your recovery code and keeping it locked away securely.
2. Storing the recovery code locally with heavy encryption.
3. Storing the recovery code within the cloud with heavy encryption.
For steps on how to set up 2FA within your account, read how to set up your 2FA within your account.