Two-step verification (also known as Two-Factor Authentication) helps protect you and your data by making it more difficult for someone else to log in to your Kahootz account. It uses two different forms of identity: your password (something you know), and a security code from your phone (something you have). This helps keep your account secure because even if someone else finds your password, they'll be stopped if they don't have access to your phone. You can also generate recovery codes to use if you don’t have your phone, or if it gets lost/damaged.
Site Owners can enable two-step verification that uses phone based Authenticator Apps for all the users on their site. (See Account > Site Admin > Settings). This is available for both Professional and Enterprise accounts.
Kahootz can also support two-step verification via SMS code or automated voice call to mobile/landline numbers. There is an additional cost for this feature (£1/user/month), please contact support for details.
Kahootz Enterprise site owners may also control who needs to use two-step authentication (all users, just workspace managers, just site owners) and other security and login settings.
What's an Authenticator App?
Authenticator apps generate random codes that you can use to sign in. They're not special to Kahootz - you can use them with many sites and internet services (including Google and Amazon). They do not have access to your Kahootz password or account information.
If you don’t have one, go to your phone's App store, search for "Authenticator App", and install. (eg: Google Authenticator, Microsoft Authenticator).
Apps are available for phones and tablets running Android, Apple iOS, Windows Mobile and Blackberry, and for Windows 10 Desktops/Laptops and Apple Macs too.
What if I get a message that my security code is invalid?
For your protection, the codes only work for a short period of time - your app will generate a new security code automatically every 30 seconds. Enter the code immediately after you see it on your phone. Most apps will show how long the code is valid as a moving bar or spinning wheel.
If you still see an error message after trying again, please ensure that the time is set accurately on your mobile device. Since security codes are time-sensitive, the time on your mobile device must be accurate for your security codes to be accepted by Kahootz. We recommend you set your phone to update the time automatically.
What if I don't always have access to my phone?
You can setup the app on several devices, phone, tablet or even Windows 10 desktop, and give each device a different name, and then choose which to use when you are logging in.
If you do not have access to any of these, you may use a recovery code to log in. Recovery codes allow you to access your account whenever you are unable to provide a verification code, which may happen if you are travelling or if you lose your phone.
If you are unable to provide a verification code and you do not have a recovery code, you may be able to contact your Site Owner or raise a ticket with Kahootz Support via email. They will attempt to verify your identity with the answers to the security questions you provided at setup. They will be able to provide you with a one-off recovery code to use. Please note that Kahootz Support is not allowed to provide codes over the telephone under any circumstances.
I’ve lost/changed my phone with the authenticator app on it.
You’ll need to use a recovery code or other pre-linked device to get into your account or the security questions as above.
Once you have accessed your account, you can revoke access to the authenticator app on your old phone from Account > Password and Security > Devices. You can delete the old device and add a new one.
How does this work?
We use a standard open algorithm called Time Based One Time Passwords – or TOTP. It’s an openly published algorithm for generating codes based on the current time, and a secret token shared between the site and the app. Any programmer can write an Authenticator app that uses the algorithm.
Kahootz sends your device a special unique token (one for each device) via the barcode or typed code you use to setup the authenticator. Your app stores that, combines it with the current time (accurate to 30 seconds) through the algorithm and shows a 6 digit code. That code changes every 30 seconds. Kahootz also knows your token(s) and can calculate the same code and see if it matches the current code or the ones either side, giving a 90-second validity for each code (which caters for typing time and small clock differences)
The recovery codes use roughly the same principle but have an incrementing number instead of the time and when they are used the number is incremented, so they can only be used once each.
For more information, research Time Based One Time Passwords, HMAC Based One Time Passwords or RFC6238!