Managing two-factor authentication

Fastly supports two-factor authentication, a two-step verification system, for logging in to the control panel and other linked Fastly assets (e.g., the Fastly support portal). In a two-factor authentication security process, users provide two means of identifying themselves to the system, typically by providing the system with something they know (for example, their login ID and password combination) and something they have (such as an authentication code).

Before you begin

You'll need to enter an authentication code regularly. Once two-factor authentication has been enabled for your Fastly account, an authentication code will be requested upon login at least every 14 days for each computer and browser you use to access the Fastly control panel or a linked Fastly asset.

A mobile device is required. Using this security feature with a Fastly account requires a mobile device capable of scanning a barcode or QR code using a downloadable authenticator application. We recommend the following:

• For Android, iOS, and Blackberry: Google Authenticator
• For Android and iOS: Duo Mobile
• For Windows Phone: Authenticator

There are special requirements for using this feature with API tokens generated for the Fastly control panel. Check out the API token documentation for more information.

Managing two-factor authentication as a user

Depending on whether or not your organization has enabled company-wide two-factor authentication, you may be able to enable and disable two-factor authentication for your personal account. We also have instructions for recovering access to your account if you lose your mobile device.

Enabling two-factor authentication

Follow these steps to enable two-factor authentication for your account.

1. Log in to the Fastly control panel.

2. Go to Account > Profile & security.

3. Click Two-factor authentication.

   

4. Click Continue and then reauthenticate your login credentials.

   

5. Launch the authenticator application installed on your mobile device and scan the QR code on the setup page. A time-based authentication code appears on your mobile device. If a browser link appears, click it to save the code. When you do, the words Secret saved appear briefly.

6. In the One-time code field in the setup page, enter the time-based authentication code displayed by your mobile device.

   IMPORTANT

   Google Authenticator Users: A common time syncing issue may cause your authenticator codes to fail. You can correct this using Google's instructions.

7. In the Device name field, enter a name to help you identify your device and then click Continue.

8. Click Finish setup. Two-factor authentication will be enabled for the next time you log in.

9. Generate recovery codes for your account in case of emergency.

Once you enable two-factor authentication for your account, any other open sessions in other browser windows will require reauthentication in those windows using an authentication code generated by the authenticator application installed on your mobile device (in addition to your email and password). Future logins will also require an authentication code. By default, the system requires you to authenticate your login using an authentication code at least every two weeks for each computer and browser you use to access the Fastly control panel or linked Fastly asset.

Generating recovery codes

If you're ever unable to access your mobile device, recovery codes can be used to log in when your account has two-factor authentication enabled. Each of these recovery codes can only be used once, but you can regenerate a new set at any time and any previously generated codes that are still unused will be invalidated.

To generate recovery codes, follow these steps.

1. Log in to the Fastly control panel.

2. Go to Account > Profile & security.

3. Click Two-factor authentication.

4. Click Generate recovery codes.

5. Click Download recovery codes and then save them in a secure location.

   IMPORTANT

   Be sure to store a copy of your recovery codes in a safe place in the same order they appear on the screen. You'll need to use them in the displayed order if you lose access to your mobile device and need to use a recovery code in place of the authentication application to access your account.

6. Click I've saved my recovery codes.

Disabling two-factor authentication

Once two-factor authentication is enabled for your account, you can disable it at any time by following these steps.

1. Log in to the Fastly control panel.
2. Go to Account > Profile & security.
3. Click Two-factor authentication.
4. Click Disable two-factor authentication.
5. In the Your authentication code field, enter the time-based authentication code displayed in the authenticator application on your mobile device, then click Disable.

What to do if you lose your mobile device

If you lose your mobile device after enabling two-factor authentication, use a recovery code to log in to your Fastly account.

You can continue to use recovery codes to log in until you get your mobile device back. Recovery codes can only be used once, however, so remember to regenerate a new list of codes as needed to avoid running out before you recover your mobile device.

If you do not believe you will be able to recover your lost mobile device and you still have at least two recovery codes left, you can log in with one recovery code and disable two-factor authentication with a second code. Once two-factor authentication is disabled, you can re-enable it with a new mobile device at a later time and regenerate a new set of codes.

Locked out of your account? Check out our article on what you can do about it.

Managing two-factor authentication as a superuser

Organizations can enable two-factor authentication users one at a time or all at once for all of their users. When the company-wide two-factor authentication feature is enabled, all users within the organization are required to use two-factor authentication to log in to the Fastly control panel, and they cannot disable two-factor authentication for their accounts.

Enabling two-factor authentication for a single user

If you are assigned the superuser role for your organization, you can view who has two-factor authentication enabled the User management settings for your Account. Users with this feature enabled have 2FA displayed next to their names.

To disable two-factor authentication for any user within your organization, select Disable 2FA from the menu that appears when you click the gear next to that user's name.

Resetting a user's two-factor authentication

If company-wide two-factor authentication is enabled, and a user within the organization gets locked out of their account or needs to enable a new device, an account superuser can reset their two-factor authentication. To reset a user's two-factor authentication, follow the steps below.

1. Log in to the Fastly control panel.
2. Go to Account > User management.
3. In the Users area, click the gear next to a user and then select Reset 2FA. A warning message appears.
4. Click Reset. The user will need to set up two-factor authentication for their account the next time they log in.

Disabling two-factor authentication for a single user's account

If company-wide two-factor authentication is enabled, a superuser can disable two-factor authentication for a single user's account. This is typically done for user accounts being used for scripts and session authentication. To disable two-factor authentication for a single user's account, follow the steps below.

1. Log in to the Fastly control panel.
2. Go to Account > User management.
3. In the Users area, click the gear next to a user and then select Ignore 2FA. A warning message appears.
4. Click Ignore. Two-factor authentication will no longer be required for the selected user.

Enabling company-wide two-factor authentication

Users assigned the superuser role can enable this feature on the Account page. To enable company-wide two-factor authentication for all users within your organization, follow the steps below.

1. Log in to the Fastly control panel and select Account from the navigation sidebar.

2. In the Customer options area, select Enabled from the Company-wide two-factor authentication controls.

   

3. Click Update Customer Options. A warning message appears stating that login sessions from non-2FA users in your company will immediately expire.

4. Click Continue. Two-factor authentication becomes required for all users in your company. Anyone currently logged in and not previously using 2FA on their account will be logged out of the Fastly control panel. Anyone who has not already enabled two-factor authentication for their account will be prompted to do so the next time they log in to the Fastly control panel.

Disabling company-wide two-factor authentication

A superuser can disable company-wide two-factor authentication. Once this feature is disabled, existing users within the organization will be able to manage their own two-factor authentication settings, and new users will not be required to set up two-factor authentication to log in to the Fastly control panel. To disable company-wide two-factor authentication, follow the steps below:

1. Log in to the Fastly control panel and select Account from the navigation sidebar.

2. In the Customer options area, select Disabled from the Company-wide two-factor authentication controls.

   

3. Click Update Customer Options. A warning message appears.

4. Click Continue. Company-wide two-factor authentication becomes disabled.