This article describes the steps on how to enable and disable Two Factor Authentication (2FA). It is also important to create backup codes and keep them safe in case you need to reset your 2FA.
NOTES & REQUIREMENTS:
Some older versions of Ubiquiti services are not 2FA-ready; and when you enable 2FA it will be enabled for all Ubiquiti services. In these cases, when you are not asked for the 2FA token and you are using your ui.com account, you must provide it anyway by typing in your password, a vertical bar (|), and the 2FA token in the password field. For example, for an account with the following:
You would type the following in the password field: 2931utkyu|987099
As always, we recommend updating to the newest version available to experience our newest features.
Table of Contents
- How to Enable 2FA
- How to Create Backup Codes
- How to Disable 2FA
- How to Access a Locked Out Account
Two Factor Authentication, also known as 2FA, is a two step verification process that requires more information in addition to the usual username and password. This extra piece of information is something only the user will know or have physically with them, like a token sent to a mobile app, for example. It is very important to create backup codes the moment you enable 2FA on your account.
How to Enable 2FA
1. Download and install Google Authenticator to your mobile phone. Authy will also work, but since this article is using Google Authenticator as an example, the steps might vary slightly.
2. Go to https://account.ui.com and sign in.
2. Select Security from the left hand menu. In this section you can change your account password and session timeout period as well as enable two-factor authentication.
3. Enable two-factor authentication by clicking on the toggle. This will bring up a small pop-up window with a QR code and a Secret Code under it.
Save this Secret Code somewhere safe. You can use this to enable your account again if you were to get locked out (if for example you change mobiles or delete the authenticator by mistake).
4. Open the Google Authenticator app on your phone, tap menu, then tap Begin Setup > Scan barcode. If you already have other accounts, you would click the plus sign (+) on the upper right and then Scan barcode.
5. Your phone will now be in "scanning" mode. Go ahead and scan the QR code that appeared in the account.ui.com pop-up window.
6. Enter the 6-digit authentication token provided by Google Authenticator into the pop-up window.
7. Click Submit.
How to Create Backup Codes
It is extremely important to create a set of backup codes the moment two factor authentication is enabled. These codes will allow you to unlock your account to disable 2FA if you were to somehow lose access to your authenticator app (if say you lost your mobile).
1. Access your account settings, by logging in to https://account.ui.com, providing username, password and the 6 digit authenticator token.
2. Go to the Security section.
3. Under the Two-Factor Authentication header, provide 2FA token as provided by the Google Authenticator app and click Generate new backup codes.
ATTENTION: Generating new backup codes makes any previously generated ones obsolete.
4. You will be given a list of 10 backup codes, copy them somewhere safe. If there's a possibility someone has gained access to your codes, generate new ones to make those compromised ones obsolete.
How to Disable 2FA
1. Go to https://account.ui.com and sign in.
2. Select Security from the menu.
3. Under the Two-Factor Authentication header, click on the Disable Two-Factor Authentication toggle
4. Use Google Authenticator on your mobile to get a token to insert in the field provided.
5. Click Submit.
How to Access a Locked Out Account
If you are locked out of your account because you changed mobiles, deleted the authenticator app by mistake or lost your phone, you can get access to your account once more with one of these methods.
Reset 2FA Using Backup Codes
1. Go to https://account.ui.com, enter your username and password as usual, and when prompted for the 6 Digit Token, click on Reset 2FA instead.
2. Now just paste one of the backup codes you previously saved and click the Reset 2FA button.
3. Two factor authentication is now disabled. Click Back to log in with username and password and follow the procedure to enable it again. Remember to create a new set of backup codes.
Access Account with Secret Code
The Secret Code appears only once, when you first enable 2FA on your account (see How to Enable 2FA). You can use this code to connect your existing account with a newly installed authenticator app. Do so by following these steps:
1. Open Google Authenticator and click the + to add another account.
2. Instead of selecting Scan barcode as you would have to set up a new account, select Manual entry.
3. Provide your Ubiquiti account account in the space provided and your Secret Code in the space provided for Key. You may provide your username or email, that does not seem to make a difference, but it is how you will identify your authenticator token when looking at the Google Authenticator app.
4. Click the checkmark in the upper-right hand corner to save.
Other possible issues and solutions are discussed in this Google 2-Step Verification Help article. If you have lost access to your account, but did not generate backup codes or save the Secret Code when you first enabled 2FA, and none of the solutions in the above link helped, please contact firstname.lastname@example.org from the email you have registered on your Ubiquiti account and request they reset 2FA.