How to set up Two-Step Login on your Secrets Vault
Two-Step Login, which goes by many different names, is a highly-recommended security practice for securing access to websites and applications. Other names for this practice are Two-Factor Authentication (2FA), 2-Step Verification, and Multi-Factor Authentication. We'll use 2FA for the rest of this guide.
The main premise behind 2FA is that after you enter your password (the first step, method, factor, or evidence in proving your identity), you will be prompted to enter a token generated either by an Authenticator app, a hardware security key (like Yubikey), or sent via SMS (text message) to your phone. These days SMS is considered an unsafe method for sending the 2FA token due to the possibility that mailicious actors could intercept your SMS messages and thus gain access to your 2FA protected accounts. Most banks still use SMS as the 2FA token delivery method and hopefully they will upgrade their security practice soon.
Since your Secrets password manager stores all of your logins, we highly recommend that you secure your password vault with 2FA. Doing so protects all of your logins by preventing a malicious actor from accessing your vault, even if they somehow discover or guess your master password, which you should commit to memory and never write down it anywhere.
Enabling 2FA on your vault will require you to complete a secondary step each time you log in, in addition to your primary login method (your master password). You won't need to complete the secondary step to unlock your vault, only to log in.
This article will guide you in setting up multiple different 2FA methods for your vault. Setting up multiple 2FA methods is best practice so that in case you lose access to one of your 2FA methods you will be able to use one of your other 2FA methods to gain access to your vault.
Guide to setting up Two-Step Login (2FA) on your Secrets Vault:
Table of Contents:
- Step 2: Set up Email as a 2FA Method
- Step 3: Save your 2FA Recovery Code
- Step 4: Set up Authenticator App as a 2FA Method on Apple iOS
- Step 5: Set up Authenticator App as a 2FA Method on Android
Step 1: Sign in to your Ayam Secure Secrets Web Vault
2FA set up happens in the Secrets Web Vault (secrets.ayamsecure.com) rather than the browser extension or mobile apps.
Step 2: Set up Email as a 2FA Method
Once you're signed in to your Web Vault, on the upper right, select the profile icon and choose Account settings.
Then from the left sidebar, select Security, and then from the tabs, select Two-step login.
Notice the prominent warning about permanently losing access to your Secrets Vault if your lose access to all your 2FA methods. As a backup, you can use a Recovery Code that will be available after we set up a 2FA method.
First, we'll set up Email as a 2FA method and then we'll set up Authenticator app as a second 2FA method.
At the bottom of the page, click on the Manage button to the right of Email, which is the last 2FA "provider", another name for method.
After entering your master password, ensure that the correct email address is entered in the first input box and then click Send email after which you should see a message saying Verification email sent to ... your email address.
Go to your email inbox and look for the email from Ayam Secure Secrets with the subject of Your Two-step Login Verification Code.
Copy the 6-digit passcode and return to your Secrets Web Vault and paste the passcode in the second input box and click on Turn on.
After verifying that everything looks good, click on the Close button.
Now you have enabled Email as a 2FA method on your Secrets vault and you can confirm this by the green checkmark icon next to Email.
If you ever want to disable this Email 2FA method, visit this same page, click on Manage and Turn off.
Step 3: Save your 2FA Recovery Code
Now that you have a 2FA method enabled, let's view and save your Recovery Code.
At the top of the Two-step login page, click on View recovery code and after entering your master password, you will be shown your recovery code.
Copy the string of 32 letters and numbers and save it in a safe place. We recommend saving it in your Secrets Vault as that is most likely the safest place for all of your secrets.
Of course, there could be a situation where you lose access to your 2FA methods and to log in to your Secrets Vault, you need the recovery code that is saved in your Secrets Vault. For this reason we recommend using the Bitwarden app on different devices, so that you can always have access to your vault. For example, using the Bitwarden mobile app on your phone secured with your fingerprint or Face ID biometrics, using the desktop app, and using the browser extension app.
Remember that you only need your 2FA token when logging in to your Secrets Vault. So, as long as you are logged in to your Secrets Vault on various devices, which should lock after a certain idle time has passed, you will be able to unlock your Secrets Vault with only your master password.
To save the recovery code in your Secrets Vault, click on the Vaults menu item on the upper left to navigate back to your Secrets Vault, and then find your Ayam Secure Secrets login item.
If you haven't already saved your Secrets login in your Secrets Vault, do so now by clicking on New and then Item. We recommend saving your Secrets login details in your Secrets Vault so that in case you forget your master password, you can open your vault on your phone, which if it's secured by biometrics won't prompt you for your master password.
Click on your Secrets login item, then towards the bottom under Custom Fields, select New custom field of type Text.
Give this custom field a name of 2FA Recovery Code and paste the contents in Value and click Save.
You can also save this recovery code in any other location that you deem to be highly secure, such as a bank safety deposit box.
Step 4: Set up Authenticator App as a 2FA Method on Apple iOS
(Click here to jump down to the Android section)
Email is not considered the most secure 2FA method because a malicious actor could intercept your emails and read your 2FA token that is sent in plain text. A more secure 2FA method is using an Authenticator App that automatically generates the 6-digit 2FA token, which refreshes every 30 seconds.
On Apple iPhone, starting with iOS 15, there is a built-in feature to generate 2FA tokens. We recommend this method for iPhone users because this 2FA item gets backed up via iCloud Keychain to your iCloud account so that when you get a new iPhone, you won't have to set up this 2FA method again.
In your Secrets Web Vault, select the profile icon and choose Account Settings, then select Security, then select Two-step login. Next to Authenticator app, click Manage.
After entering your master password, you will be shown a QR code that you can scan with your iPhone.
On your iPhone, open the Settings app and select Passwords.
Pass the Passwords app 2FA prompt by either using your Touch ID, Face ID, or a passcode.
Then select the + icon in the upper right to create a new login item.
In the Website section, enter: secrets.ayamsecure.com and then select Done.
From the Account Options section of this login item, select Set Up Verification Code....
In the menu that pops up, select Scan QR Code and point your phone's camera at the QR code shown in your Secrets Web Vault.
Enter the 6-digit code shown in your phone's Password app for this login item in Part 3 of the 2FA set up in your Secrets Web Vault and click on Turn on.
Now you have enabled Authenticator App as a 2FA method on your Secrets vault and you can confirm this by the green checkmark icon next to Authenticator app.
When logging in to your Secrets Vault, you will be prompted for this 2FA token. If your phone is not nearby, you can choose Use another two-step login method and select Email.
Step 5: Set up Authenticator App as a 2FA Method on Android
Email is not considered the most secure 2FA method because a malicious actor could intercept your emails and read your 2FA token that is sent in plain text. A more secure 2FA method is using an Authenticator App that automatically generates the 6-digit 2FA token, which refreshes every 30 seconds.
For Android, there are multiple authenticator apps to choose from. We recommend Aegis Authenticator primarily because its 2FA token settings can be backed up and moved to a new phone. It's also free, secure, and open source.
In your Secrets Web Vault, select the profile icon and choose Account Settings, then select Security, then select Two-step login. Next to Authenticator app, click Manage.
After entering your master password, you will be shown a QR code that you can scan with your phone.
On your Android phone, open the Aegis Authenticator app and click on the red + button to add a new 2FA entry.
In the menu that pops up, select Scan QR code and point your phone's camera at the QR code shown in your Secrets Web Vault.
In Aegis, under the Note input box, type something to help you remember why you created this 2FA entry, such as 2FA Token for my Secrets Vault and click Save.
Enter the 6-digit code shown in Aegis for this login item in Part 3 of the 2FA set up in your Secrets Web Vault and click on Turn on.
After verifying that everything looks good, click on the Close button.
Now you have enabled Authenticator App as a 2FA method on your Secrets vault and you can confirm this by the green checkmark icon next to Authenticator App.
When logging in to your Secrets Vault, you will be prompted for this 2FA token. If your phone is not nearby, you can choose Use another two-step login method and select Email.
There you have it! You have now secured your Secrets Vault with Two-step login with multiple 2FA methods including saving your backup recovery code.
If you need further help setting up 2FA on your vault, please don't hesitate to reach out and contact us.
