Skip to content

How do I set up two-factor authentication (2FA)?

Requires Basic

Open your Profile, go to the “Two-factor authentication” section, and click “Add device”. Give it a device name, scan the QR code with your authenticator app (or type in the key manually), and confirm with the 6-digit code. From then on, every login requires this code. You can register multiple devices — this is strongly recommended as a backup.

  1. Open your profile. Click your user menu in the top right and choose “Profile”. Scroll to the “Two-factor authentication” section and click “Add device”.

    The 2FA section in the profile, with the 'Add device' button.
  2. Name the device. Enter a device name (for example “iPhone” or “Authenticator”) and click “Next”. The name helps you tell multiple devices apart.

    Step 1: give the new device a name.
  3. Scan the QR code. Scan the displayed QR code with your authenticator app. If you can’t scan it, type the code shown under “Secret (manual)” into the app instead.

    Step 2: scan the QR code or type in the key manually.
  4. Confirm the code. Enter the current 6-digit code from the app and click “Confirm”. The device now appears in the list as “Active”. From this point on, 2FA is switched on for your account.

    After confirmation, the device is active — 2FA is switched on.

Multiple devices (recommended): Repeat the steps to register a second device (for example a tablet) as a backup. At login, a code from any of your confirmed devices is accepted.

Removing a device: Via the trash icon next to the device and a confirmation prompt. If you remove the last confirmed device, 2FA is automatically disabled.

Recovery / lockout: There are no backup codes. If you no longer have any device, an administrator can reset your 2FA in user management (removing all devices). This is exactly why you should register at least a second device.

  • Multiple devices: You can create any number of named devices. Each has its own secret and must be confirmed individually with a code. At login, the code is checked against every confirmed device — a matching code from any one of them is enough.
  • Activation: 2FA switches on as soon as the first device is confirmed (totp_enabled).
  • Automatic deactivation: If you remove the last confirmed device, 2FA is switched off automatically.
  • Enforced 2FA: If your instance or tenant requires 2FA, Notory blocks all functionality after login until you’ve confirmed a device (setup screen).
  • No backup codes: There is no recovery-code system. If you lose all your devices, an administrator resets your 2FA (endpoint users/{id}/totp).
  • Secret shown only once: The secret is only ever returned when the device is created and is never issued again via the API.
  • Audit log: Confirming a device is logged; for each device, last_used_at is updated on every successful use.