Introduction

On your account's Security page, you can add or remove secondary authentication factors.

An authentication factor is something which verifies your identity. It is generally used in addition to your username and password. This helps prevent unauthorized access to your account, by requiring two or more steps to log in. It works very similarly to two-factor authentication on popular web apps like Gmail.

This article shows you how to configure it for your HelloID account. Note that two-factor authentication is only available if your IT department has enabled it.

Enable two-factor authentication

To get started, select the User profile menu in the upper-right corner. Then select the Security link.

HelloID supports the following factor types. Depending on your organization's policies, not all types may be available.

• Email
  An authentication code sent via email.
• Text message
  An authentication code sent via SMS.
• Authenticator
  A software-based 2FA authenticator app, such as HelloID Authenticator, Google Authenticator, or Microsoft Authenticator.
• Classic Hardware Token
  A hardware-based OATH TOTP token. Provides one-time numerical codes, usually via an LCD screen.
• Security key
  A hardware-based FIDO/U2F or FIDO2/WebAuthn security key, such as a YubiKey or Titan Security Key. Connects to your device via USB, Bluetooth, NFC, or other protocol to perform a cryptographic exchange.
• RADIUS Server
  Most commonly used when your organization is switching to HelloID, to let you re-use the same authentication token you were using before.

View a list of tested classic hardware tokens and security keys.

Enroll a second factor

Select Add for your desired factor type, and follow the instructions below.

Email

1. Enter and confirm your email address. Select the Send code button.
2. Check your email for your 6-digit code.
   
3. Enter your 6-digit code on the following screen:
   
4. Your email address is now enrolled as a second factor.

Text message (SMS)

1. Enter and confirm your phone number. Select the Send code button.
   
2. Check your phone for your 6-digit code, and enter it on the confirmation screen.
   
3. Your phone number is now enrolled as a second factor.

Authenticator (Push authentication)

Download and install a mobile 2FA app, if you don't already have one. Recommended 2FA apps include:

• HelloID Authenticator
  Android, iOS
• Google Authenticator
  Android, iOS
• Microsoft Authenticator
  Android, iOS

The benefit of using the official HelloID Authenticator is push authentication. Instead of manually typing in a 6-digit code, you simply tap a button. Learn how to log in with push authentication. Third-party authenticator apps such as Google and Microsoft Authenticator do not support push authentication with HelloID.

HelloID Authenticator

1. After selecting Add on the HelloID security overview page, a QR code appears.
   
2. In the HelloID Authenticator app, select the plus sign.
   
3. Scan the barcode as instructed.
   
4. Your HelloID Authenticator app is now enrolled as a second factor. For instructions on logging in with push authentication, see Use push authentication.
   

Third-party authenticator

1. After selecting Add on the HelloID security overview page, a QR code appears.
   
2. In your third-party authenticator app, add a new login and scan the QR code. You will get a 6-digit code.
3. Enter a label and the 6-digit code:
   
4. Select the Save button.
5. Your third-party authenticator app is now enrolled as a second factor. You will be required to enter your 6-digit code each time you log in.

Classic Hardware Token

You must contact your IT department to add an OATH TOTP classic hardware token. End users aren't allowed to manually add a classic hardware token. 

Security Key

1. After selecting Add on the HelloID security overview page, your device's operating system prompts you to plug in and configure your security key. This process differs by operating system and security key type. Consult outside documentation if needed.
2. Enter a label for your security key.
   
3. Select the Save button.
4. Your security key is now enrolled as a second factor.
   

Enroll and manage multiple factors

You can enroll multiple factor types (as well as multiple factors of a single type) to give yourself more login options. For example, you could enroll an Authenticator app and an email address. Or, you could enroll two (or more) email addresses. Or, any other combination.

To do so, simply select the relevant Add link and repeat the enrollment process.

To view all the enrolled factors of a single type, select the relevant blue arrow :

After you have enrolled more than one factor, you will be prompted to select a factor when logging in:

Set a default factor

After you have enrolled multiple factors, you can set one as the default. This lets you skip the Choose a factor screen when logging in.

If you haven't yet set a default factor, the factor you use during your next login will automatically be set as default. Use the instructions below if you need to change it.

1. Select a blue arrow to expand the relevant list of factors. Locate the factor you want to set as default and select its hollow star .
2. Select the Confirm button.
   
3. The hollow star  changes to a solid star . The factor is now set as default.
   
4. You will now skip the Choose a factor screen when logging in. If you need to log in using an enrolled factor which is not set as default, select the Other factors link:
   
   You are taken back to the Choose a factor screen.

Remove a second factor

1. Select a blue arrow to expand the relevant list of factors. Locate the factor you want to remove and select its Remove link.
2. Select the Confirm button.
   
3. Your factor is now removed.