How to Use Aegis Authenticator for 2-Step Verification

The security of most online accounts depends on your password. If your password gets leaked or hacked, you're in trouble. With Two-Step Verification, also known as Two-Factor Authentication, you use one additional piece of information to log into your accounts: A one-time use, 6-digit code or token. This means that even if your password is hacked your account will remain protected; the hacker would need access to your login token as well.

Read on to learn about how to set up Two-Factor Authentication, and why you should use a dedicated app for this, as opposed to Text Message or SMS-based login codes.

What is Aegis Authenticator?

Aegis Authenticator is a free and open-source Android app available on Google Play and F-Droid app stores that enhances the security of your online accounts. Using Aegis Authenticator you can generate one-time login codes on your phone that can be used as a second "factor" or second step of your normal login process.

Typically, when you log into a website or app, you will use a username and password. With Aegis Authenticator securing your online accounts, you’ll also enter a random 6-digit code each time you want to log in.

These 6-digit random codes are known as Time-Based One-Time Passwords (TOTP). Using TOTP for Two-Factor Authentication (2FA) provides better security than SMS-based one-time codes, because each one is generated offline and is only valid for 30 seconds. After the 30 seconds are up, a new 6-digit TOTP code is provided for you to use.

What is wrong with using SMS to receive one-time login codes?

You may already be familiar with SMS-based (text message) authentication, especially for banking apps and websites: When you log in from a new place, your bank may send you a text message and ask you to verify that you are who you say you are. Effectively, you are proving ownership or control of a phone number when you do this. This approach to security is called ‘SMS-based Two-Factor Authentication’.

The problem, or risk, with this approach is that you may lose access to your phone number, or your phone number may be hacked or 'ported away’ from you. This is called a SIM-swapping attack.

The use of Time-Based One-Time Passwords (TOTP) is preferable for increased security as these are not connected in any way with your phone number. Wherever possible, we recommend you use TOTP instead of SMS to protect your most important accounts.

• At Bitcoin Reserve, we require you to set up Two-Factor Authentication using Time-Based One-Time Passwords, for example with Aegis Authenticator.
• We intentionally do not offer the option of setting up SMS-based Two-Factor Authentication due to the risks of SIM-swapping attacks.

How do I set up Aegis Authenticator?

Download and install Aegis Authenticator for your Android device:

• Google Play: Aegis Authenticator

• F-Droid: Aegis Authenticator

Enable Two-Factor Authentication for Bitcoin Reserve

• After verifying your email address, log in with your email and password
• Next, click ‘Enable Two-Factor Authentication’

• Click ‘Next’

• On your phone, open Aegis Authenticator
• Finish the setup wizard if you have not already done so: Select a security option: None (no password), Password, or Biometrics; Password is recommended.
• Click the ‘+’ button to add an account
• Select ‘Scan QR Code’ to scan the code shown on the Bitcoin Reserve website
• If you are setting up Two-Factor Authentication from the same mobile device, instead choose ‘Enter manually’, and then from the website click ‘Click to Copy TOTP Key’ and paste in the Secret in the designated field. Example Secret format: L3TXYZ123XYZ123XYZ123XYZ123XYMIB

• After you have scanned the QR code, you should see a new account listed which includes your email address and the name of the website or account, e.g. Bitcoin Reserve (<youremail@example.com>)

• Under the Account Name + Email, you’ll see a 6-digit TOTP code. Enter this into the form field on the Bitcoin Reserve website (labeled ‘6 digit code’) and click ‘Next’.

NOTE: The shrinking-bar countdown timer under the TOTP code indicates how much time is remaining before the code will be refreshed. This occurs once every 30 seconds. If you don’t finish entering in the TOTP code prior to its expiration, simply wait and enter the next one that appears in Aegis Authenticator.

You have now successfully enabled Two-Factor Authentication for your Bitcoin Reserve Account! You will need to open Aegis Authenticator to get a new TOTP code each time you log in.

TIP: Many email accounts and other online services offer TOTP-based Two-Factor Authentication options. These options will generally be listed under Account or Security-related settings, depending on the site. Aegis Authenticator can be used for any of these services, if TOTP is an option.