Two-factor Authentication Now Generally Available

Two-factor authentication is a powerful and simple way to greatly enhance security for your Heroku account. It prevents an attacker from accessing your account using a stolen password. After a 4 month beta period, we are now happy to make two-factor authentication generally available.

Turning on two-factor authentication

You can enable and disable two-factor authentication for your Heroku account in the Manage Account section of Dashboard.

Before you turn it on, please read on here to understand the risks of account lock-out. You can also refer to the Dev Center docs for more details.

How two-factor authentication protects you

Without two-factor authentication, an attacker can gain access to your Heroku account by just knowing your password. The most common way attackers get access to passwords is by hijacking email accounts and issuing a password reset request. If you reuse the same password for multiple services, an attacker may also learn your password if one of your other services are compromised and its password database leaks (therefore, never use the same password for multiple services).

After you turn on two-factor authentication, you can only authenticate by providing both the password and a "second factor" code. The second factor code is a code that can only be used once or that expires very quickly (30-60 seconds). You obtain the code from an authenticator app on your mobile device.

Now, it is only possible to access your account by knowing your password and having access to your (unlocked) mobile device.

If you lose your two-factor device

When you enable two-factor authentication, it is critical that you download a set of recovery codes and store them in a safe place. If you lose your mobile device or if it gets wiped, you can authenticate using these recovery codes in place of the two-factor code generated by your device.

If you have enabled two-factor authentication and not saved your recovery codes, go to the accounts page now and download your codes.

If for some reason you have neither your two-factor device nor your recovery codes, there are a few additional ways you may be able to recover.

Your responsibility when turning on two-factor authentication

When you enable two-factor authentication, please understand that

It is possible for you to lock yourself out of your account with no ability to regain access.

It is critical that you download recovery codes and store them in a place where you can access them in case of an emergency.

If you are locked out and none of the recovery methods work for you, there is no guarantee that you can regain access to your account because we may not be able to confirm ownership of the account.

In the future, we may add additional forms of account ownership verification to aid in cases of lock-out, but there is no single solution that fully solves this problem.

Therefore, please do save those recovery codes!

What two-factor authentication does not protect against

Security is a multi-faceted problem and two-factor authentication is not designed to protect against all possible attacks. For example, it will not protect you against malware that gives a remote attacker access to your computer. Two-factor authentication is specifically designed to protect against password leaks. You should continue to follow all other security best practices to achieve maximum protection.

Browse the blog archives, subscribe to the full-text feed, or visit the engineering blog.