Login Security for SSLmarket Account
Logging into an SSLmarket account can be secured in two ways. You can enable 2FA using OTP (one-time password) or the more secure and modern FIDO2 MFA (using YubiKey, Windows Hello, or another method). This help article advises how to do it and what to do in case of login security issues.
What is OTP-based 2FA and FIDO2 MFA
Let's first define what each login security method means.
OTP-based 2FA is two-factor authentication based on a one-time code (e.g., TOTP), where the user logs in with a password and a time-limited code from an authentication app or token. The method is widely used, but it is phishing-prone because an attacker can forward the code in real-time. To use this method, you don't need anything more than a regular Smartphone with an app. The most popular are Microsoft Authenticator and Google Authenticator; both are free for Android and iOS.
FIDO2 MFA is multifactor authentication based on asymmetric cryptography, typically using a security token (e.g., YubiKey) or a platform authenticator (e.g., Windows Hello). Verification takes place through device ownership and a PIN or biometrics and is tied to a specific domain, providing high resistance to phishing. You need a computer with a TPM chip, a Smartphone with biometrics, or a hardware key like YubiKey.
OTP 2FA: Two-factor authentication using a one-time code from an authentication app. You may also encounter the terms TOTP, verification code, code from the authentication app, Authenticator app 2FA, or code-based 2FA.
FIDO2-based MFA: Modern multifactor authentication based on cryptography and a security device. It is often also referred to as passkey, security key, WebAuthn login, device login, or passwordless login.
Enabling Login Security
After logging into your SSLmarket account, click on the account owner's name in the top-right corner and select the Security option from the displayed menu. A dialog will open where, in addition to changing the password, you can activate additional forms of login security.
In the Login Security section, you can independently enable two methods of multifactor authentication. Upon activation, you will be offered to download recovery codes that are used to disable the given method. Without them, the verification cannot be disabled. We recommend printing them to avoid a total loss of access to your account.
Two-Factor Authentication (2FA) in SSLmarket
You can easily activate two-factor authentication (2FA) in your account. When logging in, you will then enter a one-time code generated by the authentication app, in addition to your password. The specific method depends on the chosen 2FA app.
The advantage of 2FA is that even someone who knows your password cannot log into your account. Successful login requires verification with a second factor, typically a one-time code.
For using 2FA, we recommend the Google Authenticator or Microsoft Authenticator apps. Both apps allow easy migration to a new device when changing phones, and their use is simple and reliable.
Logging in with FIDO2 (passkey / security key)
FIDO2 represents a modern and highly secure way to log in. It allows passwordless login, meaning without entering a password.
FIDO2 can be used, for example, through a mobile phone with biometric verification, a computer with a TPM chip, or a hardware security key (e.g., YubiKey). We consider the hardware security key the most secure option. Additionally, YubiKey devices can also be used for other purposes, such as secure certificate storage.
Enabling login with FIDO2 disables password login, which you will no longer enter. For successful login, you need the given FIDO2 means (for example, YubiKey connected to the computer) and then perform a second-factor verification, such as entering a PIN for YubiKey, biometric login verification on the phone, etc. You will then be successfully logged in without a password.
Troubleshooting 2FA or FIDO2
The most common problem is the loss of the authenticator - for example, replacing a mobile device with the installed 2FA app or the device used for FIDO2. A similar situation can occur if you lose a hardware security key (e.g., YubiKey). If you use the TPM chip in your computer for FIDO2 login, keep in mind that it is directly tied to that hardware, and you won't have access to it elsewhere (be careful with work vs. home PC).
If you lose access to your 2FA device or FIDO2 key, you can use the backup recovery codes you received upon activation. Only with their help can you restore access to your account and then set up multifactor authentication again.
We are sorry that you did not find the required information here.
Please help us to improve this article. Write us what you have expected and not found out.