Immunefi has previously only supported email and password based authentication to the platform. Only having password and email based authentication opens up users to security risks in the event that their email+password combination gets compromised.
To help protect your account from unauthorized access, the Immunefi platform now supports the usage of a second authentication factor using time-based one-time passwords (TOTP) from an authenticator app (such as Google/Microsoft/Authy Authenticator). Two-factor authentication is not enabled by default. To enable 2FA for your account please follow these steps:
Step 1: Go to your Immunefi user settings and on the Two-factor authentication row click “Enable”
Step 2: Open (or download) your authenticator application and scan the QR code
On the next screen open your authenticator application (e.g. Google Authenticator) and scan the QR code displayed. Alternatively, if you cannot scan the QR code then enter the provided code manually into your authenticator application.
Once the QR code is captured, then your authenticator application will display a 6 digit code. Enter this into the window and click “Next”.
Step 3: Save your recovery codes
On the next screen take a moment to view and save your backup codes. You will need these codes if you ever lose your authenticator application.
Important: If you lose both your authenticator and back up codes then your account will be irrecoverable! Immunefi will not be able to assist with regaining access to your account.
Step 4: 2FA Enabled
Once you click “Enable 2FA” you’ve completed enabling two-factor authentication on your Immunefi account. You’ll need to use codes from your authenticator application when you login.
Disabling 2FA on your Immunefi account
You may want to temporarily disable two-factor authentication on your Immunefi account. Disabling two-factor authentication may need to occur if you want to switch to a new authentication application.
Step 1: Go to your user settings and click on Disable 2FA
Step 2: Under your user settings navigate to the Two-Factor Authentication row and click on “Disable 2FA”.
You will be prompted to re-enter an authentication code. Once successful, 2FA will be disabled.
Requiring 2FA for access to your bug bounty program
You can require two-factor authentication for project users to access your bug bounty program. Doing so adds an extra layer of security and helps to ensure that only the people you trust have access to your program and related bug reports.
Only the project admin can enable/disable the program 2FA requirement.
If you are the project admin and you do not have 2FA activated on your account, you will need to do so before you can require 2FA for the program.
If you are the project admin and you do have 2FA activated on your account, you can enable/disable the program 2FA requirement in the project settings. There you will see a ‘Project 2FA’ option and you can choose to either enable or disable the requirement.
Once this feature is enabled, all project users and admins will need to activate 2FA on their accounts before they are able to view any reports in the program.
Note: Users will be required to pass a 2FA check when logging on to their accounts even if they are connected to multiple projects and only one of them requires 2FA.
How to recover your account when 2FA is enabled
If you get locked out of your account and you have two-factor authentication enabled, complete the following steps to recover the account.
- Check your inbox for an email with the subject line “Your Immunefi account has been temporarily locked” and click the “Change Password” button.
- Enter and confirm your new password.
- Log in using the new password that you just created.
- After logging in, you will be asked to use your authenticator app to verify your identity. You may also enter a backup code if you’ve lost your authentication device.
- Once you complete these steps, you will receive a notification informing you that you have unlocked your account.
How to allow users to trust devices
If you want to reduce the number of times you are asked to enter 2FA to log on to your account, your project admin can opt to allow users to trust their devices, which allows them to skip 2FA on devices they trust for 7 days.
To do this, your admin must have 2FA enabled for your team. Then they can click the slider labeled ‘Allow users to trust a device for 7 days’ under the ‘Team 2FA’ tab in the Project settings.
When this is done, all users will be given the option to trust their devices for 7 days when logging in to the Dashboard.
Note: Users that are a part of multiple projects must have the trusted device feature enabled for all associated projects before the feature will be available.
How to see which users have trusted devices
Project admins can see which users have trusted devices by clicking the ‘Users’ tab in the Dashboard. Each user that has a trusted device will have a green ‘Trusted device’ tag.
How to revoke trusted devices
To revoke all trusted devices, your admin simply needs to toggle the ‘Allow users to trust a device for 7 days’ slider to the off position. When they do so, a modal will appear asking to confirm. Click ‘Revoke all devices’ and all users will lose their active sessions and have to complete a full 2FA login.
How to add trusted devices as a user
Once your project admin has enabled users to add trusted devices, you will be given the option to trust your device when you log on. Trusting a device allows you to skip the 2FA check on that device for 7 days.
Note: Users that are a part of multiple projects must have the trusted device feature enabled for all associated projects before it will be available.
If you would like to remove trusted devices, you can go to your user settings and select ‘Revoke all my devices’ to remove all trusted devices from your account. Doing so will end all active sessions (apart from the one you are using) and require you to pass a 2FA check before you can log in again.
Furthermore, your project admin has the ability to revoke your trusted devices at any time.