Enabling Two-Factor Authentication (2FA) on UpStream
What is Two-Factor Authentication (2FA)?
From the development of computers and well into many decades of their use in the business and personal use worlds, users have consistently proven their identity to an operating system, application or website via the common Username and Password system. This combination of something that identifies the individual (the Username) and something the individual knows (the Password) have been a pair of keys that, when turned simultaneously, provided access to the system or service.
In our internet-inured world of the present, Usernames have long since adopted the unique identifier of an email address as a constant and are pretty to find or guess given their ubiquity as a communication system; they are no longer a viable “key” in terms of identity-proofing due to how easy they are to determine. Passwords, however, are something only the user knows (or at least are intended that way; we won’t get into Post-It Note passwords, Shared passwords or any of the various travails of the real world) and this “knowledge” of something that is otherwise secret is still useful as a key when accessing a system or service.
This proof-of-knowledge methodology has been reasonably functional for many use cases throughout that time, but the prevalence of new security threats and easier-than-ever means of fooling users into unwittingly giving away that Username and Password combination to malefactors has made it a low barrier of security when used on its own, leading to tens of thousands of compromised accounts every year, both business and personal. The data contained within that account can be used for any number of nefarious purposes, but usually wind up with the goal of extorting money from someone or some organization in the end.
MultiFactor Authentication, commonly abbreviated as 2FA (Two-Factor Authentication) or MFA, is an enhanced means of proving your identity to a system. It combines two or more “factors,” that the user possesses to then authenticate themselves to the system as the intended user. Sticking with the door and key example, it’s essentially adding more keyholes to the door that new keys (the “factors”) can be inserted into for that simultaneous turning to provide access. These new keys are vastly more difficult to steal than a mere Username and Password combination, and provide another strong layer of defense that defends against most common attackers.
These new factors are commonly broken out amongst three different kinds of classification:
The Password is considered “Something you know,” and is the easiest to steal in a variety of technical and non-technical ways.
A Security Token, like a physical keyfob, is “Something you have,” and generally requires some casual physical access to the user to obtain.
Something that is intrinsic to the user, like a retina or fingerprint, is considered “Something you are,” and can be the most challenging to acquire.
By using two or more of these factors, it greatly increases the security of any given service or system by needing additional, much more difficult procure “keys” to obtain access.
Simply put, Two-Factor Authentication enhances security for accounts. If passwords are compromised due to a data breach or attack, malicious actors will still be unable to access accounts– keeping information secure. 2FA is an easy way to protect against common threats like the risk of reusing the same password, phishing scams, and data breaches.
Setting up Two-Factor Authentication on UpStream is composed of two steps: obtaining an Authenticator application (if one isn’t already on hand; if one is, you’re more than halfway done already), then configuring the UpStream login to use it going forward.
Note: In the event of an administrative lockout, wherein the system administrator locks themselves out and does not have their Recovery Codes usable, please contact UpStream Support for access reprovisioning.
Downloading an Authentication Application
To use UpStream’s 2FA Authentication, an Authenticator application is needed. Many such applications exist from multiple security providers, including Microsoft, Google, Twilio, Duo, Okta and others.
If one of these applications is already available, proceed ahead to the next section.
If such an Authenticator is not available, or the one that is already available is incompatible, please follow the below instructions.
Start by downloading an authentication application to a personal mobile device. Authentication apps meet 2FA requirements by generating Time-Based One-Time Passwords (TOTPS) that authorized users can use to access an account.
Two popular options for authentication applications are Google Authenticator and Microsoft Authenticator. Links to both the Apple App Store (for iOS devices) and Google Play Store (for Android devices) are included below.
Google Authenticator
Microsoft Authenticator:
After downloading and installing the desired authentication application to a mobile device, proceed to the next section.
Configuring UpStream and Authentication Application for 2FA
Conveniently, setting up 2FA only takes a couple of minutes and is accomplished almost entirely from the UpStream web interface.
To begin, log into your UpStream system via the web browser.
From the UpStream homepage, click the Settings tab.
Within the Settings tab, users can manage the privacy and security settings of their accounts.
From the User Management tab, locate the section titled “Two-Factor Authentication”.
Next, there are two ways to connect UpStream to an authentication application: via QR Code or an OTP Secret Code.
QR Code: Scan a QR code within the authentication application.
OTP Secret Code: Type in a unique secret code into the authentication application (Note: This option may not be available for all authentication applications).
Authenticating via QR Code
Open the authentication application, and select the option to add a new account.
On most authentication apps, this will be a “+” sign.
Select the option to add a new account via a QR code.
Microsoft Authenticator’s QR Code scan.
Google Authenticator’s QR Code scan.
The mobile device’s camera will automatically open.
Point the camera directly to the QR code located on the UpStream screen.
Once properly focused on the code, the application will scan and register the UpStream application.
Once you have successfully scanned the QR code, UpStream will appear listed in the application’s connected accounts.
Find the 6-digit code associated with UpStream in the authentication app, and type it into the Code section.
Note: The 6-digit codes are time-based and expire after a set period of time. If too much time has elapsed, go back and find the new code in the authentication application.
After typing in the 6-digit code, press Register.
This will complete the process of connecting UpStream to a mobile authentication application. Now, as part of the login process, after password entry, users will be required to input a 6-digit code from their authentication application in order to verify access.
Confirm that 2FA has been successfully activated by looking for the green “ON” status.
A list of 10 recovery codes will appear on the screen. Store these codes somewhere safe, as they can be used to gain access to an UpStream account if the mobile device carrying the 2FA codes is unavailable (say, when a device is lost, replaced or factory reset).
Authenticating via OTP Secret
Open the authentication application, and select the option to add a new account. On most authentication applications, this will be a “+” sign.
Select the option to add a new account via a code/setup key.
Manually type the OTP Secret Code from the UpStream account into an authentication application.
Example code: ABCDEFGHI7Q56A5VLAJXRIZBUYWIPECVB
Once the code has been successfully submitted, UpStream will appear listed in the applications’s connected accounts.
Find the 6-digit code associated with UpStream in the authentication application, and type it into the Code section.
Note: The 6-digit codes are time-based and expire after a set period of time. If too much time has elapsed, go back and find the new code in the authenticator app.
After typing in the 6-digit code, press Register.
This will complete the process of connecting UpStream to a mobile authentication application. Now, as part of the login process, after password entry, users will be required to input a 6-digit code from their authentication application in order to verify access.
Confirm that 2FA has been successfully activated by looking for the green “ON” status.
A list of 10 recovery codes will appear on the screen. Store these codes somewhere safe, as they can be used to gain access to an UpStream account if the mobile device carrying the 2FA codes is unavailable (say, when a device is lost, replaced or factory reset).
