About
Files
News
Vote
Help
API
Advertise
Contact
Join
LoginTwo Factor Authentication
From Account Management
From Account Management
Enabling two-factor authentication (2FA) is crucial to reliable account security. We strongly suggest implementing a second factor on your Packet Storm account, and have even considered it as a hard requirement. Having a second factor helps mitigate phishing attacks and improves the overall security posture for accounts. We cannot stress the importance of adding a second factor.
Packet Storm provides two options for a second factor and we suggest you implement both. (We do not use SMS for second factor, as it can be intercepted.)
1. The first option is a Time-based One-Time Password (TOTP). We adhere to the RFC-6238 specification. Turning on this option lets you generate a rolling six-digit code that lasts for 30 seconds at a time, and it's based on a shared secret between your device and our systems. Because the secret is accessible and not stored in hardware, it is considered the less secure of the two options.
2. The more secure second option is to use a hardware key that supports WebAuthn, where your stored secret is not (normally) extractable. We still suggest using TOTP as a back-up if something happens to your hardware key(s).
To get to your two factor-authentication settings, click the Menu button at the upper left of your screen (
) and then click Settings.
Under the Two Factor Authentication menu, you will see options for both TOTP and hardware key settings.
To turn on TOTP, click Enable. This will take you to another page where you will be prompted to enroll your secret into your TOTP application and confirm the code. The page will provide you a list of static second factors for break-glass situations.
Using an application like Google Authenticator allows you to scan a QR code to automatically add a new secret. If you would prefer to not scan the code, you can use the secret listed below the code.
Once enrolled on your device, we need you to verify it is generating codes correctly. To do this, add your code into the Current Six Digit Code field and then enter your passphrase into the Current Passphrase field so we can confirm its you, and not just someone walking by your unlocked screen. When both items are entered, click Click to Enable to finish adding the second factor. If something has gone wrong during the process, you can use Regenerate Secret to start over.
The codes listed on this page should not be discarded. Please print them out and store them somewhere safe. These codes can be used as emergency, break-glass second factors if your TOTP device is no longer available and you don't have WebAuthn set up. We will have no way to validate your identity for a second factor if you lose your second factor devices, so these codes are critical for continued access to your account. Each code is single use.
After you select Click to Enable and you are successfully enrolled, you will be taken back to the main Settings page, where you will see the function is enabled.
The second option Packet Storm offers is using a hardware-backed key that adheres to the WebAuthn RFC-8809 specification. This can be Touch ID on a Mac, a YubiKey, or any device that supports this specification. Note: We have seen some instances of Firefox and Chromium (integrated w/ Burp) failing to authenticate. Google Chrome and Safari work. Be warned this is still a feature with bugs.
To enable a hardware key using WebAuthn, click Register a Key
The next page will ask you to name your key. Then click Register using WebAuthn. After you're authenticated to your key, you will be enrolled. Note: If you do not have TOTP enabled and you also don't have more than one key enabled, you run the risk of getting locked out of your account because you only have a single second factor. We recommend always creating a backup second factor.
After you add a key, you will see it show up under the Two-Factor Authentication area of your settings page.
Upon your next login, you will be forced to use your second factor. If you have both WebAuthn and TOTP activated, it will default to your hardware key. This is the most secure method for authentication.
Packet Storm will give you the option to use TOTP if you have TOTP set up and have lost access to your WebAuthn key.
If you click Use TOTP Backup? or only had TOTP enabled, you will see this screen.
If you have any questions, feel free to send a message to a sysop.
Packet Storm provides two options for a second factor and we suggest you implement both. (We do not use SMS for second factor, as it can be intercepted.)
1. The first option is a Time-based One-Time Password (TOTP). We adhere to the RFC-6238 specification. Turning on this option lets you generate a rolling six-digit code that lasts for 30 seconds at a time, and it's based on a shared secret between your device and our systems. Because the secret is accessible and not stored in hardware, it is considered the less secure of the two options.
2. The more secure second option is to use a hardware key that supports WebAuthn, where your stored secret is not (normally) extractable. We still suggest using TOTP as a back-up if something happens to your hardware key(s).
To get to your two factor-authentication settings, click the Menu button at the upper left of your screen (
) and then click Settings.Under the Two Factor Authentication menu, you will see options for both TOTP and hardware key settings.
To turn on TOTP, click Enable. This will take you to another page where you will be prompted to enroll your secret into your TOTP application and confirm the code. The page will provide you a list of static second factors for break-glass situations.
Using an application like Google Authenticator allows you to scan a QR code to automatically add a new secret. If you would prefer to not scan the code, you can use the secret listed below the code.
Once enrolled on your device, we need you to verify it is generating codes correctly. To do this, add your code into the Current Six Digit Code field and then enter your passphrase into the Current Passphrase field so we can confirm its you, and not just someone walking by your unlocked screen. When both items are entered, click Click to Enable to finish adding the second factor. If something has gone wrong during the process, you can use Regenerate Secret to start over.
The codes listed on this page should not be discarded. Please print them out and store them somewhere safe. These codes can be used as emergency, break-glass second factors if your TOTP device is no longer available and you don't have WebAuthn set up. We will have no way to validate your identity for a second factor if you lose your second factor devices, so these codes are critical for continued access to your account. Each code is single use.
After you select Click to Enable and you are successfully enrolled, you will be taken back to the main Settings page, where you will see the function is enabled.
The second option Packet Storm offers is using a hardware-backed key that adheres to the WebAuthn RFC-8809 specification. This can be Touch ID on a Mac, a YubiKey, or any device that supports this specification. Note: We have seen some instances of Firefox and Chromium (integrated w/ Burp) failing to authenticate. Google Chrome and Safari work. Be warned this is still a feature with bugs.
To enable a hardware key using WebAuthn, click Register a Key
The next page will ask you to name your key. Then click Register using WebAuthn. After you're authenticated to your key, you will be enrolled. Note: If you do not have TOTP enabled and you also don't have more than one key enabled, you run the risk of getting locked out of your account because you only have a single second factor. We recommend always creating a backup second factor.
After you add a key, you will see it show up under the Two-Factor Authentication area of your settings page.
Upon your next login, you will be forced to use your second factor. If you have both WebAuthn and TOTP activated, it will default to your hardware key. This is the most secure method for authentication.
Packet Storm will give you the option to use TOTP if you have TOTP set up and have lost access to your WebAuthn key.
If you click Use TOTP Backup? or only had TOTP enabled, you will see this screen.
If you have any questions, feel free to send a message to a sysop.
Help Section
About |
Terms |
Copyright |
Privacy |
BlueSky |
X |
Mastodon
© 2024 - 2025
All Rights Reserved Packet Storm Security, LLC
| Hosting provided by: RokaSecurity
© 2024 - 2025
All Rights Reserved Packet Storm Security, LLC
| Hosting provided by: RokaSecurity