BMO supports two either TOTP or Duo. Duo is only available for Mozilla employees, while TOTP is available to everyone.
You need the following:
- You need a TOTP authenticator app, such as Google Authenticator (iOS, Android) installed on a phone or tablet. There are authenticator programs available for desktop OSes, but doing this is not recommended. In this guide we'll say "device" instead of phone or device. Note the device does not need internet connectivity once the Authenticator app is installed.
- You should have a printer or a notepad to write down recovery codes.
Once you have the above ready, it is time to enable 2FA.
- Visit the Two-Factor Authentication page.
- Click the button labeled "Time-based One-Time Password (TOTP)"
- You will now see a barcode.
- Pick up your device and open the authenticator app. There will be a screen with a button at the bottom labeled "Begin Setup"
- This is what you will see on your device. The screenshot is from an iPhone, but Android is similar.
- After "Begin Setup", the screen will give you two options: "Scan a barcode" or "Manual Entry". Choose "Scan a barcode"
- Now the device's camera is going to activate. Aim the camera at the barcode shown in the Bugzilla window is inside the square.
- It will recognize the barcode pretty quickly -- providing the screenshot below was quite difficult.
- The authenticator app on your device should now be displaying a six digit code
- On the page showing the barcode, you must enter your current password and the six digit code displayed on your device.
- The password field is above the barcode, and field for the six digit code is below.
- Now enter that six digit code into the text box under the barcode.
At this point you have 2FA enabled! Every time you log in, you will need to enter your password and also the six-digit code from the authenticator app.
- After the password and code are entered, you must click "Submit Changes"
- If nothing went wrong, it is now time to create recovery codes. If something went wrong, consult the section "Something Went Wrong (TOTP)"
- It is time to create Recovery Codes. Recovery Codes are special codes that can be used instead of the codes generated by Google Authenticator on your device -- but they are longer (10 digits) and each code may only be used once.
- Recovery codes are important if you lose your device, they're an emergency failsafe. If you do not have recovery codes and you lose your device you might lose access to your account forever.