RubyGems Navigation menu
Guides

Want to better protect your rubygems.org account?

Your rubygems.org account is important! Unauthorized access of your account can lead to irrevocable damage to your gem’s reputation. We highly recommend that you enable MFA for both UI and API. When enabled, we will ask you to provide a one-time password for operations like login, gem push etc to verify your identity.

Prerequisite

You should have an authenticator app (like Google Authenticator or Authy) which supports time-based one-time password (TOTP) to scan the QR code and generate an access code. SMS-based authentication or recovery is not supported.

Enabling multi-factor authentication

  1. Login to rubygems.org using your existing account and go to the edit profile page. Click register a new device in the multifactor authentication section. Multifactor authentication section on the profile edit page
  2. You will be redirected to a page with a QR code and a text box for verifying OTP code. Please use your authenticator to scan the QR code. A new account for rubygems.org will be added to your authenticator app as soon as the scan completes. You can also add a new account manually using Account and Key shown next to the QR code. Please make sure you choose the option time based as MFA type. On successful registration, you will see a 6-digit access code (30 seconds expiry) in your authenticator app for your rubygems.org account. Enter the shown access code in the OTP Code text field and click Enable. Registering a new device
  3. If the code is correct and the QR code has not expired, on next page you will see a list of recovery codes. Please copy and store these codes in a safe place. You can use these recovery codes to access your account, should you ever lose your phone or accidentally delete the rubygems.org account from your authenticator app. Note that each recovery code can be used only once. Please reregister your authenticator app after using recovery code to login to rubygems.org. Recovery codes
  4. Sign out and sign in again. Signing in will now ask for an OTP code. OTP prompt at login page

Authentication levels

When you register a new device or enable MFA for the first time, we will enable MFA only for UI. If you go to the profile edit page again, in the multifactor authentication section, you will see a dropdown menu with three options:

  • Disabled: disables MFA. Please delete rubygems.org account from you authenticator app after disabling.
  • UI only: sign in from browser and disabling MFA will require OTP code.
  • UI and API: gem signin, push, owner --add and owner --remove will require OTP code.

Steps to change your MFA level:

  1. Sign in and go to the edit profile page. If you have enabled MFA for your account, in the multifactor authentication section, you will see a dropdown menu. Multifactor section at profile edit page
  2. Select your intended option, enter OTP access code from your authenticator app and click Update