Two-factor Auth in Public Beta

Today, we’re excited to announce public beta of two-factor authentication for Heroku accounts. With two-factor auth enabled, an authentication code is required whenever you log in. The code is delivered using an app on your smartphone, and access to your phone becomes a required factor (in addition to your password) to access Heroku. An attacker that has somehow discovered your password will not be able to log in using just your password.

Enabling two-factor auth

The easiest way to enable two-factor auth is using Dashboard. Go to your account page, click the “Enable two-factor authentication” button and follow the on-screen instructions.

Enable two-factor auth button

Download an authenticator app for your smartphone if you don’t already have one. We recommend Google Authenticator but alternatives like Authy work too.

Two-factor apps

Scan the barcode shown on the Dashboard page using the downloaded authentication app.

Bar code

Finally, enter the 6-digit code displayed on your smartphone to enable two-factor authentication.

Verify code

That’s it! Your account is now protected with two-factor auth.

In the coming months, we want to add support for sending authentication codes using SMS and we’ll expose two-factor auth support in the Platform API, so stay tuned.

At Heroku we care deeply about the security of apps and accounts on the platform. In the past month alone, we responded vigorously to the Heartbleed vulnerability, launched our Security Bug Bounty program and announced important security improvements for SSL endpoints. With two-factor auth enabled, your Heroku account will have an extra layer of security that stops attackers that have somehow discovered your password. Enable it now.

Browse the blog archives or subscribe to the full-text feed.