How does Two-Factor Authentication (2FA) work on Shadow?
Updated
Shadow gives you the possibility to use two-factor authentication (2FA) to provide additional security to your account. Two-factor Authentication is optional and disabled by default on your account.
It adds a verification step whenever you are about to perform a security-sensitive operation.
On the other hand, single-factor authentication (password only) is easier to breach, making your account more vulnerable to malicious actors, phishing, and malware.
Is Two-Factor Authentication Required?
For now, Shadow doesn’t have any plans to make Two-Factor Authentication mandatory for accessing any of your services.
However, we strongly recommend enabling it to provide an additional security layer to your Shadow account.
Which actions require 2FA when it is enabled?
If you enable Two-Factor Authentication, it will be required whenever you need to log in to perform an action.
For example:
When you log into any of your services (Shadow Drive or Shadow PC)
When you update your password to recover your account.
Note: Enabling two-factor authentication (2FA) is unnecessary when changing your password directly within your Account Page (account tab) while already logged in.
How to set up Two-Factor Authentication?
You can set up one or several Two-Factor Authentication methods via your Account Page.
See below the methods available with Shadow and how to set them up:
Authenticator Mobile Applications with Time-based One-Time Password (TOTP):
These applications generate a code that changes every 30 seconds.
Examples of applications you can use:
On-device Authenticators & External FIDO2 Devices:
On-device authenticators (such as biometric sensors*1) and external devices (such as USB security keys) are using the WebAuthn protocol to provide secure and convenient authentication.
*1 Biometric sensors: Biometric sensors are a type of technology, either mechanical or electronic, that captures biometric data (such as the face, palm print, or iris) digitally and converts it into a biometric template. For instance, a device's camera can function as a biometric sensor for the face.
Your external device should be certified FIDO2 to be compatible with the WebAuthn protocol and work as a 2FA method on Shadow.
Examples of On-device Authenticators & External FIDO2 Devices:
Recovery Codes (How to plan a fallback solution if you loose access to your selected 2FA method(s))
The Recovery Codes are One-time use codes generated by Shadow that can be used to complete the second verification step when you loose access to your selected 2FA method(s).
We recommend to enable this feature and back up the codes in order to use them if you lose access to your selected 2FA method.
To ensure maximum security, we recommend to periodically re-generate those codes. To generate new codes, follow the instructions below.
How to disable Two-Factor Authentication
You can disable one or several 2FA methods on your Customer Space.
If no 2FA method is enabled, Two-Factor Authentication will be disabled.
FAQ
Still have questions after reading this article?
Check out our other articles or contact Shadow Support.