What is "Two-Factor Authentication" (2FA)?
The biggest security risk in any system is the humans who use it. Many people re-use passwords on multiple websites and even the most savvy can sometimes fall foul of a scam that reveals a password to a bad actor.
Two-factor authentication adds an additional layer of security by requiring users to enter a code from their phone as well as entering their password. This means that - even if someone discovered or guessed your password - they would not be able to access sensitive parts of Pianola unless they also had access to your (unlocked) phone.
Pianola's 2FA has been designed to protect the areas of the site that are most sensitive: viewing / adding / editing / downloading members' details, sending emails, and changing the club's settings. When the feature is enabled users will need to provide a code from their phone when accessing those parts of the site.
Users will not need to enter a code to access non-sensitive parts of the site, such as a director uploading a game, or a regular member viewing their results, using the partner-finder, etc.
Turning on 2FA for the club
A user with the role 'Club administrator' needs to enable the extra security by selecting one of these options on the Admin > Settings page:
You can make it optional for other admin users to enable 2FA on their own accounts or you can enforce that they do so. We recommend that you make it optional for only a short transitional period and then enforce the feature when all your users are familiar with it.
Setting up 2FA as a user
When the club has enabled 2FA, any user who tries to access the Members, Messages, Reports or Settings pages in the admin area will be presented with this screen:
Step One: Install an authenticator app on your phone
If you already have an authenticator app on your phone you can skip this step.
If you don't already have one, go to the App Store (Apple devices) or Google Play (Android devices) and search for an "authenticator" app. There are lots of free apps available and they will all work but we've found Google Authenticator to be the most user-friendly and simple to use.
Step Two: Scan the QR code on your screen
In Google Authenticator login to an existing Google account or create one if you don't already have one (a Google account could be a Gmail address but it could also be any account that you use to login to Google search, YouTube, etc).
When you're logged-in you should see a screen like this.
Click 'Add a code'
Click 'Scan a QR code' and then point your phone at the QR code shown in your Pianola account (don't scan the code on this page that you're reading here!)
Your Pianola account will be added to your app and it will show a six-digit code. (This code will change every 30 seconds so it's impossible for anyone to guess.)
Enter the code into Pianola and click 'Submit'
That's it! Your account is now secured and you will be asked to enter the six-digit code from the app each time you try to access a sensitive part of the site. You'll only be asked to do this once per session.
Admin for more than one club?
If you are an admin for more than one club you'll need to set up 2FA for each club that enables the feature.
You can add an extra club by clicking the + symbol in Google Authenticator.
It'll be easy to identify which club is which as each club's name will be shown. Make sure to enter the right code for each club as a different club's code won't work!
