What is multi-factor authentication (MFA)?

Multi-factor authentication (MFA) is a security method that helps users add an extra layer of security to their account by requiring them to provide two or more verification factors to sign in to an account. This additional layer of security helps protect user accounts from unauthorized access, even if one factor (like a password) is compromised.

How will MFA work with Prolific?

We will be using a two-pronged approach: Time-based One-Time Password (TOTP) as our primary second factor, and recovery codes as a backup method.

How do I set up multi-factor authentication on my account?

1. Sign in to your account as normal
2. Click on your initials in the upper right-hand corner of the Prolific page
3. Go to your ‘Account’ page
4. You’ll see a ‘multi-factor authentication option, click the button to ‘turn on’

5. You’ll then see the below pop-up, with the relevant instructions:

  • Install a trusted authenticator app (such as Google Authenticator, Microsoft Authenticator, or Duo Mobile) on your smartphone or tablet.
  • Click "Enable MFA" on the Prolific page
  • Scan the QR code presented, using your chosen authenticator app
  • Enter the code generated by the authenticator app to confirm that set-up has been successfully completed

6. You’ll then be shown your account’s unique recovery code. We strongly encourage you to physically write these codes down and store them securely, as you will need them to gain access. You’ll need to confirm that you’ve safely and securely recorded the code by ticking the box, and then click ‘continue’.

7. You’ll receive the following screen, confirming that the new authentication factor has been set-up, and you can return to Prolific to continue taking studies, now with enhanced account security!

How do I log in to my account using multi-factor authentication?

This article will guide you through how to log in to your Prolific account with multi-factor authentication (MFA) turned on.

If you haven’t already enabled MFA on Prolific, please see the following: Set up MFA.

1. Log in to your account as normal, by entering your email address and password

2. You’ll then see a ‘Verify Your Identity’ screen, prompting you to check your authenticator app

3. Enter the 6-digit code from your authenticator app, into the field provided:

How do I remove multi-factor authentication from my account?

This article will guide you through removing multi-factor Authentication (MFA) from your Prolific account. This will increase the chances of someone getting unauthorized access to your Prolific account, so please consider this carefully before proceeding.

1. Log in to your Prolific account as normal

2. Click on your initials in the upper right-hand corner of the Prolific page

3. Go to your 'Account' page

4. You’ll see a ‘multi-factor authentication’ option, click the button to ‘Remove’

5. You’ll then see a ‘Remove MFA’ pop-up, and will need to re-enter your account password. Click ‘Remove MFA’

6. You’ll then see a ‘Authenticate to continue’ screen, prompting you to check your authenticator app.

7. Enter the 6-digit code from your authenticator app, into the field provided, and click ‘Continue’. If you do not have access to your authenticator app, click ‘Try another method’ and enter your unique Recovery code

8. Once you’ve successfully verified, you’ll see the following pop-up, confirming that MFA has been removed from your account.

FAQ’s

What is TOTP?

TOTP is a form of two-factor authentication that uses a time-based algorithm to generate a unique, temporary code. Here's how it works:

  1. You set up TOTP using an authenticator app on your phone (like Google Authenticator or Authy).
  2. The app generates a new 6-digit code every 30 seconds.
  3. When logging in, you enter this code along with your password.

What are recovery codes?

As part of the TOTP setup process, you’ll be provided with recovery codes:

  1. Recovery codes are generated when TOTP is first set up.
  2. These are a set of one-time use codes that can be used if you lose access to your TOTP device.
  3. We strongly encourage you to physically write these codes down and store them securely, separate from your TOTP device.
  4. Recovery codes serve as a contingent factor, only usable when TOTP is unavailable.

Why is this approach is better than email?

  1. Multiple true factors: TOTP represents "something you have" (your phone), while recovery codes are "something you know," both distinct from your password.
  2. Offline access: TOTP doesn't require internet access to generate codes, unlike email.
  3. Time-sensitive: TOTP codes expire quickly, reducing the window of opportunity for attackers.
  4. Not susceptible to email hacks: Even if your email is compromised, your TOTP and recovery codes remain secure.
  5. Backup option: Recovery codes provide a secure fallback if the TOTP device is lost or unavailable.