Do I have to pay more for two-factor authentication on my Shotgun site?
No. We believe two-factor authentication is an important security feature that everyone should have. So, once we move out of the pilot release and into the full release, two-factor authentication will be available to all sites regardless of your support plan. If you're interested in testing the pilot release, send us a support request!
What if my phone is lost or stolen?
Hopefully you've got backup codes! If you do, you should use them until you get a new mobile device. If you don't, get in touch with your Shotgun Admin ASAP! You can request help from the two-factor authentication code entry screen after entering in your password. Clicking "Get help" will automatically email all of the Admins for your Shotgun site (and cc you). You can also of course get in touch with them directly. From there, your Admin will need to reset your two-factor authentication settings and you will need to reconfigure two-factor authentication for your account with your replacement device. If you don't have a replacement device or backup codes, Shotgun allows Admins to generate backup codes on behalf of a User (where the Admin will then give you the codes) to help with these situations as a last resort.
What if I don't have my phone with me (but it's not lost or stolen)?
The answer here is essentially the same as the scenario where your phone is actually lost. Use backup codes if you have them and ask your Admin for help if you don't.
What if I get a new phone?
Congratulations on getting a new phone! Once you have it up and running, be sure to update your account settings and pair your new phone to your Shotgun account. If you use multiple Shotgun sites, you will need to do this on all of the sites that have two-factor authentication enabled. Note that you may still need your old phone to log into Shotgun one more time in order to change your settings. You can of course also use a backup code for this. If all else fails, request help from your Admin as described above.
What if I lose my backup codes?
If you lost the printout of your backup codes, you can revoke them in your account settings. Click Show Backup Codes, then click Generate new codes. This will invalidate the previous set of backup codes and generate a new set.
Can I receive codes via text message (SMS) instead of using the Google Authenticator app?
Not yet. For the pilot release of two-factor authentication, Shotgun only supports Google Authenticator for verification codes. But, as we move toward the full release, we will definitely add support for receiving codes through text messages as an additional option. We feel strongly that it will be critical to cover this and ensure that all Shotgun Users who need to use two-factor authentication will be able to do so, even if that User doesn't have an iOS, Android, or Blackberry device.
Can I still get a code if I my mobile phone doesn't have data reception?
Yes! The Google Authenticator app does not require a data connection to generate two-factor authentication codes as long as your mobile phone's date/time setting are in sync. As you can see in the screencap, Google Authenticator will continue to refresh its codes even in airplane mode.
Why aren't my Google Authenticator codes working (Android)?
This might be because the time on your Google Authenticator app is not synced correctly.
To make sure that you have the correct time:
- Go to the main menu on the Google Authenticator app.
- Click Settings.
- Click Time correction for codes.
- Click Sync now.
On the next screen, the app will confirm that the time has been synced, and you should now be able to use your verification codes to sign in. The sync will only affect the internal time of your Google Authenticator app, and will not change your device’s Date & Time settings.
Do all of the Users on my Shotgun site need to use two-factor authentication?
For now, yes. In our pilot release, two-factor authentication is a site-wide preference, meaning it's either on or off for all Users. We plan to soften this requirement for the full release, and would love to get feedback on the ideal way that should work. There's a great discussion happening now on the shotgun-dev list. Have a read if you're interested and weigh in with your thoughts!
Can I use [insert your favorite alternate two-factor authentication option] instead of Google Authenticator?
For now, no. But, we're open to supporting additional two-factor authentication options beyond Google Authenticator and text messages (still to come, but consider us committed to it) down the road. If you have specific needs for a different option than what we provide, let's discuss that requirement! Start a thread in our feature request forum, send an email to the shotgun-dev list, or reach out through support. We'd love to talk.
Are API calls or mobile logins affected by 2FA?
Yes, it affects all logins (API, mobile, web).
How does 2FA work with API calls?
If you are using user-based authentication via the API, the script will always need human intervention, just to start the script. When you run the script, it will return a prompt asking for the secondary credential.