2FA for your OpenVPN Account
This document provides information about setting up two-factor authentication (2FA) for your OpenVPN website account, saving rescue codes, and switching between 2FA authentication methods. We also include security best practices.
Your OpenVPN website account is separate from your Admin Web UI administrator account for OpenVPN Access Server.
If you lose your phone or otherwise can’t get codes by text, call, or a TOTP authenticator app, you can use your rescue codes.
How to turn on 2FA for your account
You can enable 2FA for your OpenVPN.net account by following these steps:
- Click Login on the OpenVPN home page.
- Click on your desired portal (Access Server, OpenVPN Cloud, or Support).
- Sign in with your username and password.
- From the portal, click on the user icon in the top corner.
- Click My Account.
- Click 2FA Settings.
- Click the toggle to turn on 2FA.
- Enter your account password and click Confirm.
- Select email authentication or authenticator app as your 2FA method. By default, email authentication is selected. We recommend using an authenticator app as it’s more secure.
- When you select the authenticator app, enter your password and click Confirm.
- Enter the verification code sent to your email.
- Scan the QR code for your authenticator app that displays on the next screen.
- After the secret saves in the app, click Next.
- Enter the code from the authenticator app and click Verify.
- Rescue codes display on the next screen. Save these codes. Refer to the next section for details.
- After saving your rescue codes, click I have saved the rescue codes and click Confirm.
Note: When you switch from the email (the default selection when you first enable 2FA) to an authenticator app, you are prompted to enter a verification code from your email.
How to save rescue codes
When you set up 2FA for a TOTP app, such as Google Authenticator on your phone, we provide you with rescue codes after you’ve saved the secret to your app.
Save your rescue codes by printing or writing them down. If you can’t sign in with your authenticator app, you can use one of the codes. Save them with one of these two methods:
- Click on the eye icon to view the codes and write them down.
- Click on the download icon to save your codes to your device.
We require you to acknowledge that you’ve saved your codes to click Confirm and complete your 2FA authenticator app setup.
Note: Rescue codes are single use only.
How to regenerate rescue codes
If you’ve lost your rescue codes, you can regenerate new codes by turning 2FA off and then back on:
- From your OpenVPN.net account, click your account icon in the top corner and My Account.
- Click 2FA Settings.
- Turn off two-factor authentication.
- Enter your password and verification code.
- This turns off 2FA, so click the toggle again to turn it back on.
- Follow the steps outlined in the section above, “How to turn on 2FA for your account.” Ensure you carefully save your new rescue codes when you get to that step.
How to switch 2FA methods
You can switch between the available 2FA methods, email or authenticator app, by following these general steps:
- Sign in to your openvpn.net account on the website by selecting the portal for your product, Access Server or OpenVPN Cloud.
- Click on the user icon in the top corner and click My Account.
- Click 2FA Settings.
- Click the radio button for the other authentication method.
- Reenter your password.
- Enter your 2FA code from your current authentication method. (If you are switching from email to authenticator, enter the code sent to your email. If you are switching from authenticator to email, enter the code from your authenticator app.)
- Alternatively, you can enter a rescue code here if you can’t access your email or authenticator app.
- You’ve successfully switched 2FA authentication methods.
Security best practices
We recommend following these security best practices:
- Store your rescue codes somewhere safe and separate from your phone.
- Print the codes and store them in a safe place such as where you keep your important belongings.
- Share your codes with another, trusted person within your company (if possible).
- Remember to set a PIN for your phone where you’ve installed your authenticator app.
Switching devices with authenticator apps
Suppose you need to switch a phone or other device where you’ve saved your secret for 2FA. In that case, you need the time-based one-time password (TOTP) seed. Depending on your app, you can follow steps to extract that. For instance, Google can export this as a QR code: Get verification codes with Google Authenticator.
Refer to documentation for your authenticator app for instructions on how to export the TOTP seed.