About scriptbin's secondary login

What is secondary login?

The primary way to log in to scriptbin is to use "Log in with your Reddit account". That sends you to Reddit and Reddit gets back to scriptbin and says "this is username X". With that, scriptbin creates an account if necessary and then logs in.

But there are reasons to be able to log in without Reddit in the loop, including Reddit being down or that Reddit account having been deleted. So there is also "secondary login".

Secondary login uses a password that you register and it also requires a six digit code from a two-factor authenticator app. If you have your username and those two things, you can log in directly.

What is "two factor authentication"?

The security world talks about factors needed to authenticate/log in, commonly "something you know", "something you have" and "something you are". "Something you know" is your password. "Something you are" is biometric authentication, like a thumbprint, face scan or retina scan.

Two factor authentication means requiring more than one of these factors. The more there are, the less likely someone else will be able to log in as you.

What are "authenticator apps"?

Authenticator apps, or other apps that work with "one time passcodes", make it possible for the phone/tablet/device they run on to be "something you have".

With an authenticator app, you scan a little QR code, one of the funny looking square pixelly things, and that transfers a long cryptographic key to the app, which saves it away. Using that key, the app can then look at the clock and produce a new six digit code that changes at regular intervals.

Since both the site that provided the QR code and the authenticator app has the long cryptographic key and they both know what the time is, they can both calculate the six digit code. If you enter it and it matches, the site can be reasonably sure that you are you.

With this code, anyone who had gotten their hands on your password would also need the code. In other words, they would need the password you know and the phone you have.

When scriptbin refers to "adding a new authenticator app", it means adding a new key that it saves as soon as you have verified that you have added it to an app. In practice that always means adding it to a different app than the one you already have a key added to - adding it to the app on your tablet instead of the one on your phone, for instance. Theoretically you could add multiple keys to the exact same app on the exact same device or to a second app on the exact same device, but that wouldn't give you anything extra in practice.