Account security settings

General

You can access your account management panel at https://account.gandi.net/

There, you'll see the following buttons:

  • Settings: general settings, email, phone, email, newsletter subscription
  • Security: the security settings we're documenting here
  • Authorized apps: the list of applications allowed to access your Gandi account (using oAuth2).
  • My apps: if you are a developper, this is where you can setup your oAuth application

Security

Click on the security button to access this page:

You can perform the following actions:

  • Password: you can re-enter your existing password, and chose a new one from here
  • Two-factor authentication: this leads to the TOTP 2FA setup
  • U2F: this is a new, recommended way of setting up two factor authentication using hardware tokens
  • IP restriction: this will provide you with ways to filter the IP addresses allowed to access the website for your account

General recommendations

Note that U2F only works well with Chrome. Experimental, external plugin support for Safari exists, and Firefox is working on it. If your browser is not listed, ask your vendor to support U2F!

We recommend setting up both TOTP and a set of U2F keys. It has multiple advantages:

  • If you have a key, U2F will override the need for a TOTP token.
  • If you lost your key, or are logging in from somewhere else you will be able to fallback to TOTP to provide a 2nd factor
  • This allows for easier recovery of your account, if you lose one of your devices

For the same reason, we highly suggest configuring multiple keys on one account.

U2F

Note that U2F only works well with Chrome. Experimental, external plugin support for Safari exists, and Firefox is working on it. If your browser is not listed, ask your vendor to support U2F!

Click on “Manage your U2F authentication”, and the following dialog will pop up:

Then, click “Add a new key”.

In order for you to easily manage your keys later, we will prompt you to name this token.

Chose a name that will help you identify this key later.

Once you've clicked “Continue”, do the following:

  • If your key is not inserted yet, insert it into your computer
  • If your key has a button, press the button
  • If your key has no button, and was inserted, unplug it then plug it again

Once you've done that, the key will appear in the list of installed keys:

Removing a lost key, or adding more keys

Simply go back to the U2f management page to remove keys (for example when they're lost, or broken) and add backup keys.

TOTP

Setting up TOTP requires a TOTP application or device. You can configure this alongside U2F keys, in which case any working device can be used to complete two-factor authentication.

Enable TOTP by clicking “Yes” in front of “Two factor authentication”, and you will be provided with a QR code to scan:

If you cannot scan the QR code, you can also manually enter to provided seed. Make sure your TOTP application has the seed, and proceed to the next step by clicking “Next”. Your TOTP application should start periodically producing 6-digits codes.

We require that you re-enter your password along with a valid TOTP code provided by the application. Enter the code currently displayed by your TOTP token. This allows our system to double check TOTP is correctly setup and avoid locking you out of your account.

Changing your TOTP token

You cannot re-download the TOTP seed if you lost it. You will have to change the TOTP seed for a new one.

Simply deactivate TOTP (by clicking “No” in front of “Two factor authentication”), enable it again, and follow the instructions above.

IP restriction

You can also setup IP restriction on your account.

You must only specify public static IP addresses. If you are not sure whether or not your ISP provides you with a static IP address, then do not activate this feature until you have verified this. You will block yourself out of Gandi's website if your IP address changes!

Also make sure you defined both your IPv4 and your IPv6 if you have an IPv6 connection“.

Enter one CIDR per line as in the example below: