BMO/UserGuide/Two-Factor Authentication

From MozillaWiki
< BMO‎ | UserGuide
Jump to: navigation, search

Bugzilla and Two-Factor Authentication (BMO) uses either TOTP or Duo Security for Two-Factor authentication. Duo is only available for all Mozilla employees, while TOTP is available to everyone.

All Mozilla employees should use Duo Security where possible.

It is also very import to generate Recovery Codes and store them in a safe, offline location.

Configure 2FA: TOTP (Google Authenticator)

The following instruction will guide you through configuing 2FA using TOTP. This guide assumes that you're using Google Authenticator (iOS, Android) installed on a phone or tablet. There are authenticator programs available for desktop OSes, but doing this is not recommended. It is also not recommended to use 1Password for TOTP (one-time passwords) if you also store your bugzilla password there because that defeats the purpose of two-factor authentication.

Visit the Two-Factor Authentication page.

Click the button labeled "Time-based One-Time Password (TOTP)"

You will now see a barcode.

Pick up your device and open the authenticator app. There will be a screen with a button at the bottom labeled "Begin Setup"

This is what you will see on your device. The screenshot is from an iPhone, but Android is similar.

After "Begin Setup", the screen will give you two options: "Scan a barcode" or "Manual Entry". Choose "Scan a barcode"

Now the device's camera is going to activate. Aim the camera at the barcode shown in the Bugzilla window is inside the square.

It will recognize the barcode pretty quickly -- providing the screenshot below was quite difficult.

The authenticator app on your device should now be displaying a six digit code

On the page showing the barcode, you must enter your current password and the six digit code displayed on your device.

The password field is above the barcode, and field for the six digit code is below.

Now enter that six digit code into the text box under the barcode.

After the password and code are entered, you must click "Submit Changes"

If nothing went wrong, it is now time to create recovery codes. If something went wrong, consult the FAQ at the end of this guide.

It is time to create [#Recovery Codes]

Configure 2FA: Duo

The following instruction will guide you through configuing 2FA using Duo. Duo is only available to Mozilla employees at this time.

First, You must be enrolled with Duo Security via before you can use Duo 2FA.

In addition to the app, you will need to know what your Duo username is -- this is your LDAP email which might not be the same (and does not have to be) as your Bugzilla email ("bugmail").

Visit the Two-Factor Authentication page, and click the button labeled "Duo Security"

Now you'll see two text fields. The first is for your current password, and the second one is the username you use for Duo -- your LDAP email.

After filling in those forms and clicking "Submit Changes", you will encounter the typical Duo authentication screen, similar to the one that you get when logging into other Mozilla services.

Generate Recovery Codes

Recovery Codes are special codes that can be used instead of the codes generated by Google Authenticator on your device -- but they are longer (10 digits) and each code may only be used once.

Recovery codes are important if you lose your device, they're an emergency failsafe. If you do not have recovery codes and you lose your device you might lose access to your account forever.

Visit the Two-Factor Authentication page. Assuming that you're using 2FA, you will see a screen that looks something like the following

Click on "Generate Printable Recovery Codes". You'll be taken to a page and required to re-authenticate using both your password and your second factor (either Duo or TOTP). Continuing through that, you'll get something like this:

If possible, you should print those codes out. If printing is not an option, write them down. In either case, it is important to keep them in a safe place -- and not on your computer. There are ten codes, and each code can be used once instead of your authenticator -- and typically you would use them to disable and re-enable 2FA in the event you lose your authenticator device.


I'm using Duo and all I see is a white box

Check your browser addons -- it's possible that some extension is blocking Duo.

I'm using TOTP and my code doesn't work

  1. Make sure time on your computer is correct. If your computer's clock is off, it will prevent TOTP from working.
  2. Make sure you're using the right code generator -- if you're using TOTP you will *not* be using the Duo app, for instance.

Help! My phone has been destroyed

This is why you must generate and store Recovery Codes! If you did, you can use one of those Recovery codes to disable 2FA and re-enable it on a new device.

If you lose both your recovery codes and your device:

  • If you're a Mozilla employee, contact Service Desk
  • If you're a community member, email bugzilla-admin [at]

In either case, you will need to provide sufficient evidence of your identity.