In Castor, you can configure two-factor authentication (2FA) for your account. This means that, upon login, you will have to enter an extra authentication code generated by an authentication app on your phone or tablet. This adds an extra layer of security to your Castor account - potential attackers will need not only your account details, but also your physical device with your authentication app to be able to access your account. 

To enable 2FA, first make sure that an authentication app is installed and updated on your phone/tablet. In Castor, go to your Account Settings by clicking on the account icon in the top left corner and selecting 'Settings'.

Then, go to the tab 'Password & Security'. 

Under the "Two-factor authentication" section, tick the box for "Using two-factor authentication with this account". Then click the blue button below "Activate two-factor authentication".

Now follow the instructions on screen, that will ask you first to open an authenticator app on your phone and then to scan the provided QR-code. You can also manually enter the provided key:

Once you have scanned the QR code or entered the key, a 6-digit code will appear in your authentication app. Enter this code into the field and click 'Configure'.

Once configured, CastorEDC will appear in your Authentication app. Every time you log into Castor, you will need to provide the 6-digit code generated in the Authentication app. The code refreshes every once in a while.

Two-factor authentication is account-based or study based - some sites and organisations enforce additional authentication for their domains, some studies require two factor authentication from users. The procedure for your own account is always the same.

If you would like to add enforced 2FA and/or 90-day password rotation for email domains linked to your site, please submit a request here.

Troubleshooting

When receiving a new device or in the event a device has been lost, it is necessary to move the Authenticator app to a new device or disable it completely. Check the website of your Authentication app to see how you can move the app to your new device. For example, for the Google Authenticator, you can access the Google's two-step verification Web page and modify the settings there - you will first need to verify your new device within the Google Authenticator app. More information can be found on the Google Account Help page: Using a new phone to receive 2-Step Verification codes

If you still have your old and your new device, you can change the 2FA setting in your account to 'No'. Save your account settings. Regenerate the QR-code by setting the 2FA back to 'Yes' and scan it with your new phone.

Please note: If you encounter a problem with deactivating 2FA for your account, please contact us.