Skip to content
Toby Crawley edited this page Jun 28, 2020 · 5 revisions

Clojars supports requiring two-factor authentication to log in that is configured on a per-account basis.

Enabling it

Clojars uses time-based one-time passwords (TOTP) to implement two-factor auth. To use it, you will need a device capable of generating TOTP codes. There are several applications for mobile phones (search for "TOTP" or "two-factor" in your app store). Password storage applications (such as KeePassXC or 1Password) also provide TOTP generation, but keep in mind that having a single application/device supplying your password and TOTP code somewhat defeats the purpose of two-factor auth.

Once you have a device that can generate TOTP codes, you will need to enable it on Clojars and link your device to your Clojars account.

  1. Visit https://clojars.org/mfa/
  2. Enter your password
  3. You will be presented with a QRCode to scan with your device. If you are using a device where you can't scan the QRCode, you can copy and paste the shared key instead.
  4. Once you have set up your device, you will be asked to enter a code generated by your device. This is used to verify that the setup is correct, and two-factor auth will not be enabled on your account until you enter a correct code.
  5. Once you have verified your setup, two-factor auth will be enabled for your account and you will be presented with a one-time use recovery code. Save this code somewhere safe. This code can be used in place of a TOTP code when logging in, but only once. Using this recovery code will disable two-factor auth on your account, requiring you to set it up again.

Logging in with a two-factor/TOTP code

To log in, you will need to provide your password and a TOTP code on the login page. Note that TOTP codes are dependent on the clock on the device being relatively close to the clock on the server. If there is any skew there, it's possible for the code to be rejected. If your code is rejected, please try again with a code that has several seconds remaining on its validity.

Recovery

As noted above, you will receive a recovery code when you set up your two-factor authentication. If you lose access to your two-factor device, you can use this code to log in. Doing so will automatically disable your two-factor auth on your account. It is important that you keep this code, as it may be difficult for the Clojars admins to verify your identity to disable two-factor auth on your behalf.