Today, we’re excited to announce public beta of two-factor authentication for Heroku accounts. With two-factor auth enabled, an authentication code is required whenever you log in. The code is delivered using an app on your smartphone, and access to your phone becomes a required factor (in addition to your password) to access Heroku. An attacker that has somehow discovered your password will not be able to log in using just your password.
Enabling two-factor auth
The easiest way to enable two-factor auth is using Dashboard. Go to your account page, click the “Enable two-factor authentication” button and follow the on-screen instructions.
Download an authenticator app for your smartphone if you don’t already have one. We recommend Google Authenticator but alternatives like Authy work too.
Scan the barcode shown on the Dashboard page using the downloaded authentication app.
Finally, enter the 6-digit code displayed on your smartphone to enable two-factor authentication.
That’s it! Your account is now protected with two-factor auth.
In the coming months, we want to add support for sending authentication codes using SMS and we’ll expose two-factor auth support in the Platform API, so stay tuned.
At Heroku we care deeply about the security of apps and accounts on the platform. In the past month alone, we responded vigorously to the Heartbleed vulnerability, launched our Security Bug Bounty program and announced important security improvements for SSL endpoints. With two-factor auth enabled, your Heroku account will have an extra layer of security that stops attackers that have somehow discovered your password. Enable it now.