From d3febc72c50f973cec67a4a0f60e9ce820d6854c Mon Sep 17 00:00:00 2001
From: Adam Niedzielski <adamsunday@gmail.com>
Date: Fri, 28 Oct 2016 08:59:51 +0200
Subject: [PATCH] Provide detailed instructions how to set up TOTP in
 1Password.

Closes #848.
---
 source/handbook/security/1password-totp.png | Bin 0 -> 5685 bytes
 source/handbook/security/index.html.md      |  32 ++++++++++++++++++--
 2 files changed, 29 insertions(+), 3 deletions(-)
 create mode 100644 source/handbook/security/1password-totp.png

diff --git a/source/handbook/security/1password-totp.png b/source/handbook/security/1password-totp.png
new file mode 100644
index 0000000000000000000000000000000000000000..8fa0c4dda1dcb3d2d94ac5447832f5031e711397
GIT binary patch
literal 5685
zcma)eWmuHo^Y_wS(!H=qNGu_>beEJ;0!u9|uymJn35ZB2Eg+yMA+mIXG=iuI(#_J1
z#DD$%1ih~3&2zsv*SY6Re$JekiPh0kA;PD_2LJ#>YO0F&0RZ$h)cy`GHfkm2=n?|}
z@GBe?6m--S6o5MJa9al_8vsBx_IVnP-UA1!o|fZLdR`U^uKeR^bk+CyxTA6u^744M
zyJdAMLE#|&f|3{urD#_CMD?eYfC3{@EJ`G~wT@0tTUbfS07hCxb%6IVa<Fduawuq~
zVY?YTBeg;TIF&X5sz%!YKF!+UDFjZ@>V6g=%%UMhBTjxStYhaPh~?7Oh6bptJMsDT
zog{C~x5v8vYs<{ld-i_KfkglS3zXG5xM&Rw#NHK2l+C~b;JfA32x{;T+Te~wsD|S*
z=PoZkba}ZP@vvE<nw_T;V~z~4V=ZEmK?qpGNU^i_NO=merfXjg<V#Ab;AkJpq7b2;
zlZ<#GB$%eXuNHAgep#xuH{-~z>R2_=dn@N6jkY6TPY`PjIexX`eGczer5<cjAa`?*
z8xh5fjr)`{UdVf#&M#xBJHoJ!5ZbU4Q(B~#?#a5Blp(%cC3Uf4luETF(&IFDUfsxJ
z@STAmJz8~re~cPSb)BP%Eh}S<64Ik43IEElQW&8$<R${P`pjTg9C<eUem8kBvVc@=
zSWO<@D{5;!blhz@+``R$d%&kTno~_?N>LlEmcz{V5d6tK{R>4Q&hT;W7O2<GHd;Mr
zP@ecZ!|SSxu$2u=jUyaibTDb?ISr7(2%X#Fv1yQ;g~5E;nh=p>8i4_UUoY1~LQ!kS
zTeLjVJzp{`9b7C4S`P?^F1xn3hX<$>dxlp|J~i|IO0Hhz&y5ctY;}MDMlbipgRGV9
zRl&~V3{Uw3M51$=Et1#Lu<zz!ehH--!C_am``Ai`U}gOE7)Xj;&?eZ5#s$Q{ZBwtH
zaza1NBXz=QkP{cfO$?=TMbAPXoMo`bF>EDrrJuq`3Z)?oH?$xO#C%4IIS0g7j7$Z3
zsp1HR@vyKj68g!Z>EKcjbt&|cGT)MWls~A$qKE!mAv)i9m3o!u3o$g@KObiVco)AZ
zyt$P#gK*43--ucyJhOrxNfO<rF=y?Im4&g=HaRPZxFt<2+P1kvbi%|FW!|>H8OoZ!
z%1M-p7Z<xHi<NJsqsGbNC{+f~k1JCge`Tx-Es@|9SQlOwqKhvsptUFe0Qy1An7Ev0
znD^~f{K(QOohNxcc@U0N43k1gj}HGG8c+g8RAg*B8_d9JPoOB{&OOkw;4+gf%|2Ot
z*J!1`k;GfD2;Iv#XgF{CR*#6qWJS|=7Ni()^n-TVxhz*XF%dq3^rXpniNuDOjSiv(
z={YrDug2Tc^vvNa3m&^gC$JNO6X|n;b2hoCJOx)ECK)1PJi@A7SDt&0$})prE%o*~
zS$2$Nr`|lf6>VjXZ{|tHNsc0`LkdzYUQKdT`9AF$+u9w6<bzBe6%n?8WLPijo`}0}
z-IMds^Bnp7)%&Jg0;xQGBI>+Lx0bk;o>A!c>BZgddj12b&oa(7&T**x0$2{(WN*3$
zQK{EE`*6U!_Dv9z7D`J(`*FZO6F;+B5JPaGO79`T1aN|If^`B`_03vk(bc`)-OSyz
zPO=W<p1v4W!dXT&9^RMlQp{9jR!lrraaW2iK24pwFgx#Xq<e8`v3v=%XxMA`DL0*Z
zOxF_%iO<mj7v~lnkF{`?+(B@$-Eq<{F<gC+p<|l2T9#2_l=nT)S9>@9mO`%vm!?DX
z{pwM2n-5j_dsa)&`*2dh+%0CZCbNjp>O70KQY;dE3rdCOq|b%#sOZ(}ck7Sq1?gdx
z1?YoIn+;yQsVgfg+q~b9CsL-R?_;o1x_!T;<T8b2*cDbN)JKz@AV5S(WKQ(7+wuw1
z6E#h#LDxakLF_>eV@2L#gOsm)<;3Lz&R(0cn>9bYevo+KLhfZ#WJ^Jy5b}Ee`lt0K
zo-e&r4k!+d{Kfsf{F4s3&iKx_54aDv=`4scupO{}5xLN}M~OsnMNvl8CRl(>Ksld-
zUzx!YDw_mm5Tm}W5l-{ADbDxp1nt#DiTDSFokfCR#m-c)j~#FOkqvcE{OV72_f@Fe
zse-BMsLH9fd5Cz$(<sw?$~g_D4d~w*znwOwf5>6XT+s|ysKNU%VKrvCKlpXXz}^Hd
z;rQB_8eTi>5~>En7K+a>+!Q$4I-*AoPlR|^cztpgTiSX3Di-!)L7?Ypq(1>UH4{{9
zv2d-^8-ir>wiWA<V0Nc!ut!ut??7|v9P8YnZ%oY*w1}d5MxTHMmn}X|xM%K;>yFXN
z=jGVFgI%5-<ZjA7{_&k-|Ml{<Y$S9=Y8kdr-TiuydSPR`p~EM%sBgZ)@gXeOJ9y(9
za?yL4f4Ouyj82FVfmZ(5HP3u@sI@2FlWLb*80Rt2U}Pwdqs_mKJ1hj60A*-ISnckU
z#wXXXK=Z$hAVy&M%pFr5aUD#N8`1IY60C(FE080IomC2?!P=#3tGiL)qR6eXUtnV8
zDnKTnFR-A|n1(bHWOzjWl6kU45587b^ev4GtYPjgtp!PB^noyuGt-9fTyjgqKzo_A
zEp8(<Xcl~3k6g{%pmhz1SFu{Lw`0L6St;r%$|>0?KI}=wh{Dw3#$~^qK0o+_pa&$y
zT7_6e`mZ&MREkBdXNBg4hW3_D9L|T99QzG<w<&4x_ORwDiMhSs(~zGLyb;VFD9Yr0
zcvlhW8GoQ86N6oyUCmu3Q=VYt=l>je=dx^TJnBvDyWpn_+57u+2XsR(5^LxliIy{(
zu6*3u@wX3ZKT9Msrr#4Ggda>8RmUQ@oW}-D_oq^(NM3?OYnMxxod@X8+E$|L14{!f
zFI%a4cyU4$uRi^%w0krDwaKJ~+LhoP^$Y4Ws$kxE3g}hu{OhXR;*YnTH@H6XN>?y8
zWVbYhME57YxHW+aIzRid#7l1hZ%X7@g@ns-&Hath@PL>A#ehy5G#lQ4nq!xlUp10N
z=Vp-sN*&VAgG`P!kt<u<60`n!mwD@L?cwIcyTm_bkRFKA`?XaExJRl-PghhxiQX3j
z=XD>|>&hzDO@v#FP08<%J$z(n5^!(H$c@pIql{jPDd7AFZ<w6-ko_>4ew8SaqfPB|
zZ+c7T)o4iHm0pj-^4ggY#O_G=K0U#Uyy9_9*dW*7eA;T-bak+ugfXKDeTeWy%~@7=
zUEKcON<5epya>&x&+u?-)Eqggm#PaY0li!JTvVdrBSGzRWO~#Rco=v5Tm$L?rG5{A
zO8E@V{g~Jo*ccRbg5UL;^c0=`P&e@%HaX_mzh%(x{A;qji68)cP<K!>v)kyg#J92a
zBp`n4@F@CthB=0jbY^9m*)REWcC!N+{VYjDx?7UZmvz7JptNtSZ-y}V5$R;yFo{30
zw+unhk$sHN!TRyQObhXf)N4s_Q2u3scc=T}RLSw`X1azMam%g77lGMV(MaZB)2l7w
z`>!{0f5LQO9q>r_>uJg+Lx1y&wljqu-<^}OBwA(;4t!~@pt93}^Qptzd;Rgf&&}P;
z`<rP4A6;x+UF_<0e@PAHwH{VQqnLNSe+#f(hL)#@A=^X*&~-Eb4b$9xvtfsO&XF_z
zStyD#9pns%Xh0{8=u}YsqF_o~N14#cZwN4XsCLermT7GxZW8|`LG{^aY3Xr{NGB~|
z$JxTsvC7YJ-Gp)!si4>sm^HpU#vX1@Z<wE6YuKu}aP(x>90?ZC!j@xdV9W*p(6Su#
zj697r??GU2XFf}7xRni`ud^#^wgmtreIcl=vyG=E(AU|?#RK9i#rhuy1hxN72D1YH
zWAS_>#cHIf15|*!+W>|6?(*@oO5+28KuLFNTgZJy<v-%6KPgswPfu3}80_QY!{;N!
z2Y0sv3y6!0gZTx)f`Ys#4qgvG7f(xHUKbD0|CC(oQMB=ZxjVReI>23kzx7&L!M!}C
zSXqA?y7~U+r;V?}UrR0?f5Jiq2>yKn7U1It-{?k(O8%xobR2wboQxD5oNZh@P&TAR
z?+Q!)$N&GF{I&Rx<io#`cLo0y{O910pd|RW|Nq4EKd}CzqR^7YmjvG+FO6?WV%`b>
z;AN;O%IW!{ZT{?Wq0pd-niCXX$?_PAAtaD>`X2hdVh%eH!xU3=mfoTRyAg=T&t0I(
ziegZX@g#<?eGq<a;{<!$kT;WJQT+3#(75*S{KktG|FX-|=`c++ED9ajKT8Uk{j+=8
z$QX2d&b-h+iz1prJu~J%Ot;AS3pu>yk%|9sMS03#{3FB0ZlS7;jQGy@kJt~j8<m`S
zvb2~vl76>{nWY(qa%Gs!ngeM`>U_4RE!V%4T7E82vTO}S>*d$;Bj~msie%Ki_K)I(
z2z{nGh@hsXW^N>3!SV<>VR^9nIp1zLXE)odC797=x{+2Z8$wA1He>ku4od&y16T9+
z&g4saX<VhI#hxVQj&K|j`C6Bs@+dVOpI@nTB+v@YyTgL&1CCwnCqFvV2wJO#zx>$}
zBI7D?Vc8KSjF^_WbM1I3KIzCKN5}SG$J-r!&$$(jw|>$i*C%V?3Q#C?^+(O4l6UX;
zBul76GIiQK*G7wEN1V!}0#EpNyp%NPIDRwmP6(d{9c@lh=ST+`&kQeLYK<@SBz08V
z4X+>f%ghOztY?Strc?g8kjGysEHJardvH&a&><I=jFT0-zbJmD;IH{?P2uHA2RV*L
z$Yzd{3D>!~VDO>Sh+j_98HO-So}cc+q$oiP8fiQZ?i3erj~(CZD}H=0R8CplltvEj
z0y8<{@(&%2eKjZrld1bTlq~@p9Lp54YhM}8?I_WG)t<`rVBU};!PUIcS6~X^1`515
z6DDMY+#Pr!%>CifH$Db2S6~9Oj5HyG7=Ky@a-y2!UaoXgGlk9ebdzOU7*@VY64Rm7
z{L4sKPhuq4yg7nV!aG9k8GEGLLU-iP2A^n~{<N<5&bT`qT3Ip7h(tz-sNQEBJ^pXc
zs7rn2{Rl3W!yHa_=JLzR%B;$@Z!nQj2vsZilJ_hqgGU`?_xYV!6CE?Xu`TlvwAxm4
zsyOB<g=j6pFpQ^&YICwSNiL1`>MfaP8+)Gj>Ie(=n3FQ!#yj&CCY1p{MszS*=I5oa
zj_~P5Ji~XUv7pI_6;yge1z(&+%7tThk#v=t)XqcBg3nKOjlvWV#X0AwjHw(BG-=(K
zYVZL^9iTE6OL<`5eB3pVfSNA>Eo8h*UjXTm<)pz#^<-!GQT65c8^gIzPeE>-+4XPw
zy0Nf=Y|{2)$UyUoasBDw=t@|Rfy=VT^(z7Tp;fW^I8RjBXk>`FSs}s04o`UB8&wwU
zB<JYWX;A#ymQgpy%^0Y%VapuRv>2pgNe?ABpKS|Y;1qbA)eQ;bea6mp1$;Z*93(MW
zGtR_uFM||Ou6=cRu~4YN?loExyHfBtKF+MkKhj~Wxa+bi5!TymHisTjac@xUNlUe~
zOw}NvHJ|l~gkjuiJee(Ti|;P$K&B7}wikQotyY0PQ9jaD^6maEK-4KPcc#bY#&IPy
zY{_12%snD{k<JiFxMOCJv9a;R8-^4{wf79d90@}BnxO-IlDLTz-^e9z*_Z0u>1Bp$
z*Wvhx<&&k+jx!0_4!n1N^mW5J$YueRi8#vb4);`NMPy!U=O*?~gd`xySL<lz#CtlG
zaFfoTkPw1)WhQ-P_<X%Lf9SVx&xlyRLLP>kUq%q1pXp5O^*`STe0N>HICnO%P$^;B
z<T|Xb97@Z={vq+q>|1t?bkLc#_5!GXI9Dc#<)R~+q*5=cp-b<hQ(@B{TuE~KOX&lK
zd?s;s>u|U>Cws;N|Mo82T4n3ZWUbA!VG%x38fWt+e=i0%xKjwjDSJVc8y`ZoitD;m
zgroo{iS+o8Gc7Vs(~aWZ*@9-qu>RDB3iwmriR9p|sX8N8dCuDws4BP@qLu2ZC!+kK
zdPJia#~jAbBGjc^ipNYE24=~^D`X&fMq!`&f!|H20WO~OC3XJ^I@*;Tz39gFXpsiO
zbxxiKHdhc0@nw&+-G17{-v73LeYTD~kwt23SNBg@zhpz}^WhRj7093qMctgSs@PXV
zybm^8o0UGYDL{&75?IMq@m3=g)uDGdz=Ee_o_#W$pDp~R8~r|~<n?k&8p=jI2xIqJ
z`||kph}c@f5qzdu3LD;Mm2r|OEDw?MLq)Tz9pTihX1|t%XNf?SJ~6bgD(3ZXe!SBh
zGgZ35E>emac6zx4IZ^7cy<hcjukWUiO?G0ZSo7sPk@8;tFO`04<-QbAmnoywe73{*
zS5q#@73%gyjo}Rqq*@PcJ2RhJqc2QU+rdWIGRS8grtb4|N9Vtdd}?nNF53syv>nQ#
z#gMoy@YbX`&@X?dQT$>tEW!l*(O}_Y+yvWL_w+Lzt*h@}i?5BJm!g~0x;zoxoQ;lq
zG4|1Ul4?cjok{IG@t0R0ol!-Wi19W{QzdD?|CVig3B1`xc=fa)d$HEz;Z4V!-KMaZ
ztt>8PpGJf;-|3s_gGe|kk8G^3&$qgId3n8E{`8e{HzQCLjNWyu_qT@yVB)T$I@oTy
zVkX8XC?*$2u>d$(&_Uf4aVQGfO2w!CNw}tzi#B6^V<=A_6Y+qlg{?1%!RGeZfMua{
z_SqpaTEL`8NV74Pr3nvc$bFr8_?#m@(7TeBYLCc%1^?TV`A|Li9CJeI`q9ch-ov9A
z?e`gyvieKv#3Eda%>_2RzD9{tM;cAR|8%HM<>uBnlM$gTQoH2V$JcEI4XcmCLKQqC
zejIaMr_r!(QKROB;4oy)&72^6ib=S(B(cI&`Ij`09(B;Eo&58`4L+Q?p)5^-D^nnY
z8<MJNYjVyBURA)~c$QF8NcwhGK<8glECJ0Zxs05*_FvorQQG&iJ(7%WNI*AKIP)Bz
vwr-v(eyVnBvRSjo7TI46+5SJly2L^pYs4_}b)#l!06<MiOYxn&McDrV&sa2c

literal 0
HcmV?d00001

diff --git a/source/handbook/security/index.html.md b/source/handbook/security/index.html.md
index ea8a83fd8ce..d2aab334db4 100644
--- a/source/handbook/security/index.html.md
+++ b/source/handbook/security/index.html.md
@@ -18,7 +18,7 @@ title: Security Handbook
 For all credentials that are not stored in a shared vault on 1Password there should be one secure note in the 'Shared' vault. This can be services that have individual
 accounts or OAuth access. Locate the 'secure note' in the team's 'Shared' vault with the name of the service you are trying to access. The note should list whom can give you access in case it has
 individual accounts, or it may link to the onboarding checklist. You should be added to most of these services during onboarding.
-1. If 2FA should be on for the new user account, make sure to store recovery codes in the login, and consider using [auto-generated TOTP] if useful.
+1. If 2FA should be on for the new user account, make sure to store recovery codes in the login, and use [1Password TOTP].
 1. If you need to give more people access to credentials [move them](https://discussions.agilebits.com/discussion/comment/133692/#Comment_133692) to a vault that they can access. Never duplicate credentials! If needed put them in the 'Shared' vault that the whole company can access or make a suggestion to create a new vault in the "1Password Shared Folders" Google Sheet. Do not share passwords on a per person basis by sharing them via 1Password, this makes it hard to reason about the sharing and doesn't change when the responsibilities change.
 1. When asked security questions (what is your favorite pet, etc.) do not answer truthfully since that is easy to research. Make up an answer and write both the question and answer in 1Password.
 1. Do not share credentials via email, issue comments, chat etc. This includes
@@ -35,7 +35,7 @@ individual accounts, or it may link to the onboarding checklist. You should be a
    service.
 1. Do not let your password manager store the **master password**. It is okay to
    store the login.
-1. Enable two-factor authentication (2FA) with 1Password [auto-generated TOTP] for your Google, Slack, GitLab.com, and dev.gitlab.org accounts. The nice thing about 1Password is that it migrates when you have a new phone, unlike Google Authenticator.
+1. Enable two-factor authentication (2FA) with [1Password TOTP] for your Google, Slack, GitLab.com, and dev.gitlab.org accounts.
 1. You can also consider using a [Yubikey](https://about.gitlab.com/2016/06/22/gitlab-adds-support-for-u2f/) with GitLab.
 1. **Encrypt** your computer's home folder. For Mac users: Use [FileVault] to
    encrypt the entire disk.<a name="encrypt-home-folder"></a>
@@ -68,7 +68,7 @@ individual accounts, or it may link to the onboarding checklist. You should be a
 
 [1Password]: https://1password.com
 [generate strong passwords]: https://support.1password.com/guides/mac/generate-a-strong-password.html
-[auto-generated TOTP]: https://blog.agilebits.com/2015/01/26/totp-for-1password-users/
+[1Password TOTP]: #1password-totp
 [Google Authenticator]: https://support.google.com/accounts/answer/1066447?hl=en
 [FileVault]: https://support.apple.com/en-us/HT204837
 [team call agenda]: https://docs.google.com/document/d/1JiLWsTOm0yprPVIW9W-hM4iUsRxkBt_1bpm3VXV4Muc/edit
@@ -249,6 +249,32 @@ To create a personal local vault:
 1. A new local vault (**Primary**) is created outside the GitLab team account
 1. If you want to setup sync for your new local vault, go to **Preferences > Sync**
 
+### Two Factor Authentication and Time-based One Time Passwords<a name="1password-totp"></a>
+
+There are several ways to get your Two Factor Authentication (2FA) codes.
+You can get them sent via SMS or use an app like Google Authenticator to
+generate them. 1Password provides an alternative solution that does not
+require using your smartphone: 1Password Time-based One Time Passwords
+(TOTP). 2FA codes are displayed directly in the 1Password app running on your
+laptop.
+
+To enable TOTP for a saved account:
+
+1. Open 1Password app
+1. Go to the item for which you want to set up TOTP
+1. Click **Edit** in the bottom right corner
+1. Click 3 dots icon
+   ![3 little dots](/handbook/security/1password-totp.png)
+1. Select **One-Time Password**
+1. Click QR code icon that appeared
+1. Scan QR code using the transparent window
+1. Click **Save**
+1. 2FA code should be displayed now
+
+Please refer to the [1Password blog] for more information on how TOTP works.
+
+[1Password blog]: https://blog.agilebits.com/2015/01/26/totp-for-1password-users/
+
 ### Example Usage<a name="1password-example-usage"></a>
 
 This is an example of how <a href="https://gitlab.com/u/rspeicher">Robert</a>,
-- 
GitLab