Screen Shot 2014-05-22 at 9.41.02 AM


Two-step verification, also known as two-factor authentication, makes logging into online accounts safer by combining something memorized – a password – with something possessed – a time-based security code. This account security feature is now available for all customers in the Umbrella Dashboard.


Accessing most online accounts requires a username and a password. A password alone is not a strong way of ensuring account security – passwords can be shared between accounts and people.

Two-step verification adds a second step to the login process to prevent unauthorized access. After supplying the account password, the user inputs a time-based security code that is generated. This security code changes to a new seemingly random code every 30 seconds, so to gain access to an account you must physically possess the source of codes. This helps ensure that only the owner of the account may sign in.

How it Works

Two-step verification implements a one-time password system. The basic goal of the system is to verify that a user is who they say they are without communicating anything secret. It does this by generating security codes that change based on time. The system is designed so that, even if all of the security codes are stolen – for example, if traffic is being intercepted – then future security tokens cannot be predicted. Unlike passwords, if a security token is stolen, it is only valid for up to 30 seconds.

Creating these security tokens in a deterministic but seemingly random way is accomplished by sharing a secret key between the user and the server. After this secret key is synchronized it is never shared again. The server and user combine this secret key with the current time using a hashing algorithm to generate one-time passwords. By standardizing the hashing algorithm and ensuring accurate clocks, the same six-digit password is generated by both the user and the server.

If the security token sent by the user matches the one generated by the server, then it is assumed that the user has the correct secret key and is who they claim to be.


Three main methods of implementing one-time passwords exist. Because the generation of the token requires an intense mathematical hash the system is not simple.

Hardware Tokens have a secret key, then calculate security tokens that they normally display on a screen. These types of devices have been a common sight on the keychains of banking employees for decades.

In an SMS-based system, the server generates the token, sends it to the user via SMS, then the user inputs it into the login system. In this sense, the server sends a code to the user then makes sure that it receives back the same password the user received.

The third method of one-time password generation is with a smartphone application such as Google Authenticator or Authy. After a user downloads the smart phone application, they enable two-step verification on their account and receive the secret key by scanning a QR code. In this setup, the user’s phone calculates the one-time password every time that they try to sign in.

OpenDNS Implementation

Two-step verification at OpenDNS began as a hackathon project. After a team of engineers built the two-step verification system in a 24-hour, coffee-fueled sprint, the project was passed onto the A-Team to ready it for production.

OpenDNS supports SMS and App-based two-step verification. To enable it on your account, in the Umbrella Dashboard go to your account settings.

OpenDNS provides a recovery code when you enable two-step verification. This code allows you to disable two-step verification should you lose your phone. Treat this recovery code like a password but store it separately from your account password – our engineers prefer keeping recovery codes in a Truecrypt volume on Dropbox or in 1Password.

App or SMS?

SMS is the easier option. It requires no application, it works on any phone that uses text messages, and if a user loses their phone then the new one can still have the same phone number. Because the text message passes through many services in plaintext before it reaches the user, this is not as secure as having the user generate their own one-time password.

Phone applications are the recommended choice because the user generates their own security tokens every time they log in. In addition, the application still generates tokens without cell signal or internet.

Next Steps

Log into the Umbrella Dashboard and improve your account security with two-step verification.

This post is categorized in: