How to Manage Two-Factor Authentication for DigitalOcean Accounts

If you log in to DigitalOcean with a username and password, enabling 2FA adds an additional layer of security against unauthorized access to your account.

Learn more about two-factor authentication.

An authentication factor is a piece of information used to verify that you’re allowed to do something, like a keycard used to unlock a hotel door.

This is one way of characterizing authentication factors:

  • Something you know: This is private knowledge that only you have, like a password or a PIN.
  • Something you have: This is a physical object that only you have, like a phone, a key, or a bank card.
  • Something you are: This is a physical characteristic that only you have, like your fingerprint or your voice.

Two-factor authentication, commonly abbreviated as 2FA, is any form of verification that requires two factors, like withdrawing money from an ATM using both a bank card (something you have) and its PIN (something you know).

A common first factor for online accounts is a password (something you know). A common second factor is an authentication code from an app on your phone (something you have).

We strongly recommend enabling 2FA on all DigitalOcean accounts.

Default Account Authentication

When you first create your account, 2FA is disabled, but DigitalOcean takes other steps to protect your account.

Each time you log in from a new location using a new device or a different web browser, we email an authorization code to the address linked to your account. You need to check your email, retrieve the code, and enter it to complete your login.

Even without 2FA enabled, a bad actor would need both your DigitalOcean password and your email password to log in. This isn’t as effective as 2FA, but it increases the difficulty for would-be attackers and provides you with notification if someone is trying to access your account.

Enabling Two-Factor Authentication

Note
If you log in to DigitalOcean with Google or GitHub, you manage 2FA with your Google or GitHub account instead of your DigitalOcean account.

To enable 2FA for your DigitalOcean account, log in to the control panel and click the profile icon in the top right corner.

The pull-down menu that expands from clicking the profile icon in the control panel

In the menu that opens, click My Account to go to your My Account page. Then, in the Two-factor authentication section, click Set Up 2FA.

The two-factor authentication section of the My Account page with 2FA currently disabled and the Set Up 2FA button visible

When you enable 2FA, you need to choose your second factor and choose a backup method.

Choosing the Second Factor

When you click the Set Up 2FA button, the Set up two factor authentication window opens on the Choose Method step.

Choose an authentication method window

You need to choose your authentication method: either using an authentication app or using SMS.

Authenticator apps like Google Authenticator, Authy, 1Password, Microsoft Authenticator, and Duo are small, free mobile applications used to generate security codes. They work globally and are more secure than SMS because they don’t transmit the security codes across the network.

When you choose this method, you need to scan the provided QR code using the authenticator app on your phone or tablet. This links your device to your DigitalOcean account.

If you’re unable to scan the QR code, click the Try this instead link directly underneath it to get a numerical code which you can enter manually. Follow the directions in your specific authenticator app to enter the code, then enter the PIN that the app gives you in the space provided. Once you’ve entered the PIN, the app links with your DigitalOcean account.

Once your DigitalOcean account and 2FA app are linked, when you log into DigitalOcean, you need to open the app and enter the code provided in the control panel to finish logging in.

Some authenticator apps have features like backups and syncing to help you restore access to the app if you lose your device. We recommend using these features for added reliability.

If you select SMS, your mobile carrier must be able to deliver a text message, which means you need mobile signal or an internet connection. This may be inconvenient when traveling internationally. In addition, because SMS messages are vulnerable to being intercepted by hackers, they’re not as secure as an app. However, using SMS for 2FA still provides much stronger security for your account than not enabling 2FA at all.

When you select SMS, you are prompted for the phone number.

Note
You cannot use VoIP or Telephony telephone numbers from services like Google Voice or Ooma.

Once you enter the code, DigitalOcean sends a code via SMS. When you receive it, enter the code to link your phone and your account. From then on, you receive codes via SMS to enter into the control panel to complete your login.

Choosing a Backup Method

Once you’ve configured your primary method for 2FA, you need to add a backup method. This is how you can regain access to your account if your 2FA device is lost or stolen.

You can use backup codes or an authenticator app. We recommend using backup codes.

Backup codes act like a second password, so store them in a secure place that you can access without your phone.

Backup codes are visible on-screen when you enable 2FA. You can also download a .txt file called digitalocean_backupcodes.txt.

Backup codes are single use, so it can be helpful to delete or cross out a backup code once you use it. If you only have a few valid backup codes left, you can generate more. When you regenerate backup codes, any remaining codes from before are no longer valid.

You can use an authenticator app like Google Authenticator or Duo as your backup solution.

We do not recommend this because it is phone-based, and only selectable as a backup option if you select SMS as your primary 2FA solution. In the scenario where you can’t access your SMS messages and need to use a backup method, your phone might not be a valid option to use due to whatever is preventing SMS access.

For this reason, we recommend using an authenticator app as your primary 2FA method with backup codes.

Disabling Two-Factor Authentication

You can disable 2FA on the My Account page, in the Two-factor authentication section. When two-factor authentication is enabled, this section displays your default authentication method and your backup method.

The Two-Factor Authentication section of the My Account page

Click the Disable 2FA button to disable two-factor authentication.

If you lose access to your 2FA device or can’t receive the code via SMS, try searching your computer for the backup codes text file named digitalocean_backupcodes.txt by default. If your backup method is not functioning, submit a ticket to the DigitalOcean support team for help restoring access to your account.

Switching Authenticator Apps

If you have enabled 2FA for your account and are using an authentication app, you can change the current app you are using to authenticate your DigitalOcean account by disabling 2FA and then enabling it again using your preferred authentication app.

To switch your authentication app, follow the steps above to first disable 2FA for your account, then enable 2FA again using your new authentication app.