Merge pull request 'Explain HTTP push when using 2FA' (#97) from ivan-paleo/Documentation:2fa into master

Reviewed-on: https://codeberg.org/Codeberg/Documentation/pulls/97
2020-10-16 14:03:20 +02:00 · 2020-10-16 14:03:20 +02:00 · e9feace995
commit e9feace995
parent a5125e4dd5 3811578c46
5 changed files with 29 additions and 15 deletions
--- a/assets/images/security/2fa/applications.png
+++ b/assets/images/security/2fa/applications.png
--- a/assets/images/security/2fa/applications.webp
+++ b/assets/images/security/2fa/applications.webp
--- a/assets/images/security/2fa/token-created.png
+++ b/assets/images/security/2fa/token-created.png
--- a/assets/images/security/2fa/token-created.webp
+++ b/assets/images/security/2fa/token-created.webp
--- a/content/security/2fa.md
+++ b/content/security/2fa.md
@ -6,22 +6,18 @@ eleventyNavigation:
 ---

 ## Why Two-factor Authentication?
-While it is important to have a strong password, to gain extra security i.e. in case your password or device ever gets compromised, it is a good idea to configure
-Two-factor Authentication for your account.
+While it is important to have a strong password, to gain extra security, e.g. in case your password or device ever gets compromised, it is a good idea to configure Two-factor Authentication for your account.

-With Two-factor Authentication, you will be asked for an authentication code generated using
-your phone in addition to your password, when logging into Codeberg.
+With Two-factor Authentication, you will be asked for an authentication code generated using your phone in addition to your password when logging into Codeberg.

-That way, if your password gets compromised, but your phone stays safe, your account cannot be compromised
-due to the loss of password alone.
+That way, your account cannot be compromised even if your password does get compromised, as long as your phone stays safe.

 ## How to set up Two-factor Authentication

 ### Prerequisites
 You will need an authenticator app installed on your phone.

-If you don't already have an authenticator app and you're not sure which app to 
-use, have a look at Aegis Authenticator
+If you don't already have an authenticator app and you're not sure which app to use, have a look at Aegis Authenticator
 ([F-Droid](https://f-droid.org/de/packages/com.beemdevelopment.aegis/) | [Google Play Store](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis&hl=en_US)) or Authenticator ([App Store](https://itunes.apple.com/app/authenticator/id766157276)).

 ### Step 1: Navigate to your user settings
@ -42,12 +38,10 @@ use, have a look at Aegis Authenticator
  <img src="/assets/images/security/2fa/qr-scan.jpg" alt="Scanning QR Code">
 </picture>

-After scanning the QR code with your app, enter the six digit code displayed
-in your app into the "Passcode" field of the settings form, then click "Verify".
+After scanning the QR code with your app, enter the six digit code displayed in your app into the "Passcode" field of the settings form, then click "Verify".

 ### Step 4: Store your scratch token in a safe place
-If your phone ever breaks, get lost or stolen, you can recover your account
-using the scratch token.
+If your phone ever breaks, get lost or stolen, you can recover your account using the scratch token.

 That token is showed to you right after setting up 2FA:

@ -61,6 +55,26 @@ Please store that token in a safe place.
 ### Step 5: Done!
 That's it - you have now configured 2FA for your account.

-From now on, each time you log into Codeberg, you will be asked for an
-authentication code from your app, adding a layer of security over using
-only a password.
+From now on, each time you log into Codeberg, you will be asked for an authentication code from your app, adding a layer of security over using only a password.
+
+## Personal access token
+If you push via HTTP (see [Clone & Commit via HTTP](/git/clone-commit-via-http)), an extra step will be needed to create a personal access token. This token will replace your normal password (+ authentication code) on Codeberg. 
+
+In your profile settings on Codeberg.org, go to the `Applications` tab.  
+In the section `Manage Access Tokens`, add a `Token Name` and confirm by clicking on the green `Generate Token`.  
+
+<picture>
+  <source srcset="/assets/images/security/2fa/applications.webp" type="image/webp">
+  <img src="/assets/images/security/2fa/applications.png" alt="applications">
+</picture>
+
+Make sure you save the generated token in a safe place, because it will not be shown again.
+
+<picture>
+  <source srcset="/assets/images/security/2fa/token-created.webp" type="image/webp">
+  <img src="/assets/images/security/2fa/token-created.png" alt="token-created">
+</picture>
+
+When asked for your password, just supply the token.
+
+You can create as many token as you like: one for each computer, one for each Git client, one for each session... you decide! You can also revoke tokens at any time by pressing the red `Delete` next to the token (see previous screenshot).