Slack is a corporate group-chatting tool that's become crucial to how many businesses work today, including TheAtlantic.com. (The company behind it, also called Slack, is important in its own right: At more than $2 billion, it’s one of the highest-valued companies in Silicon Valley, and is driving a round of stratospheric startup evaluations.)
Slack was also the target of a recent hacking incident, in which user data—email addresses, phone numbers, and Skype usernames—was exposed to attackers. In response, it has debuted two-factor authentication.
Two-factor authentication is one of the best tools users have to protect their security. Instead of just your password standing between you and hackers, it also requires a second key—sometimes a number texted to your cellphone—before you can fully log in.
Two-factor authentication isn’t difficult to set up, but it’s not particularly intuitive either. One of the easiest ways requires you to download a Google-made app, for example, even though Slack isn’t a Google-made product. So if you’re one of Slack’s half-million daily users, here’s how to go about doing it:
(Slack has posted their own instructions for how to do this, but I found them lacking, especially for users who’ve never set up two-factor authentication beyond Google or Twitter before. They’re also not helpful for users in more than one Slack room.)
1. Go to your Slack Account Settings page, scroll down, and click “Expand” next to Two-Factor Authentication.
(If you can’t find the words “two-factor authentication” on the page, make sure you’re in the “Settings” tab. It’s the foremost tab on my screen, but make sure you’re not in “Profile” or “Photo,” etc.:)
If you did find two-factor authentication, you’ll see something like this:
2. Enter your current Slack password and hit “Enable two factor authentication.”
3. Okay, here’s where it gets a little strange. Take out your phone. With this kind of authentication setup, Slack does not text you a code to enter, as Google does. You have to go download an app instead.
In the iPhone or Android app store, search for and then download either an app called Google Authenticator (iPhone, Android) or one called Duo Mobile. On a Windows phone, look for Microsoft Authenticator.
These apps are made by Google and Duo, but your data will never actually touch a Google or Duo server. These two authenticator apps are just implementations of a standard called the Time-based One-time Password Algorithm. This method hands a secret key to your phone, which your phone inputs into an algorithm. Your phone then solves the algorithm every 30 seconds, using the current time as one of the inputs. If you and the two-factor server both have the same secret key, and can show it’s roughly the same time, then you’re allowed to sign in.
Google Authenticator and Duo Mobile are just two different ways to run one of these algorithm solvers on your phone. That’s why Slack asks you to download them.
4. On the set-up-two-factor-authentication page, Slack tells you to show the authenticator app a QR code. This is how it communicates the secret key to your phone. (Trust me: You have not just downloaded a glorified QR code reader. Indeed, you have perhaps found the only time that QR codes are actually useful.)
In Google Authenticator, you have to press a plus-sign button near the top of the screen to start a new log-in. After pressing it, tap the option to “scan barcode.” Then show it the QR code on the screen.
5. Your phone’s authenticator app will now have an array of six numbers on the screen. Enter them in the box provided by Slack, beneath the QR code, then click “Verify Code.”
6. If this worked, you’ll go back to your Account Settings page, where you’ll see a green “Enabled” next to “two factor authentication.” Below that, you’ll also see 10 unused backup codes. Copy a few of these down on a post-it note and stick it in your wallet—if you ever lose your phone, they’ll be how you access Slack.
Simultaneously, you’ll have been logged out of your main Slack chat window. This is a sign of success! Re-enter your username and password, then enter the PIN currently showing on your Authenticator app. (These PINs change every 30 seconds, so make sure it’s recent.) Now you should be logged in to a more secure Slack.
If you’re in multiple Slack rooms, you need to do this for every room independently. The easiest way to do that is to enter this into your browser’s URL bar—
—where the word in brackets is the URL subdomain of your Slack. (The easiest way to find that information is to click on a timestamp next to any chat and see where Slack sends you in your browser. The word before “.slack.com” will also be the word you want in the URL above.)