Two-Factor Authentication (2FA)

Supascale supports Time-based One-Time Password (TOTP) two-factor authentication to add an extra layer of security to your admin account. When enabled, you'll need both your password and a code from your authenticator app to log in.

How It Works

Two-factor authentication uses the TOTP standard (RFC 6238), which is supported by popular authenticator apps:

• Google Authenticator (iOS, Android)
• Microsoft Authenticator (iOS, Android)
• Authy (iOS, Android, Desktop)
• 1Password (iOS, Android, Desktop)
• Bitwarden (iOS, Android, Desktop)

When enabled, your authenticator app generates a new 6-digit code every 30 seconds. This code is required in addition to your password during login.

Setting Up 2FA

Prerequisites

• Install an authenticator app on your phone or desktop
• Have access to your Supascale account

Enable 2FA

1. Go to Settings > Profile
2. Find the Two-Factor Authentication section
3. Click Enable 2FA
4. Scan the QR code with your authenticator app
5. Enter the 6-digit code from your app to verify
6. Save your backup codes in a secure location

Important: Backup Codes

When you enable 2FA, you'll receive 10 backup codes. These are single-use codes that can be used if you lose access to your authenticator app.

Store these codes securely:

• Save them in a password manager
• Print them and store in a safe location
• Do NOT store them in plain text on your computer

Each backup code can only be used once. After using a code, it's automatically invalidated.

Logging In with 2FA

1. Enter your username and password as usual
2. You'll be prompted for a verification code
3. Open your authenticator app
4. Enter the current 6-digit code
5. Click Verify to complete login

Using a Backup Code

If you don't have access to your authenticator app:

1. At the verification prompt, enter a backup code instead
2. Backup codes are 8-character alphanumeric codes (e.g., A1B2C3D4)
3. After successful login, consider regenerating your backup codes

Managing 2FA

Viewing Status

Go to Settings > Profile to see:

• Whether 2FA is enabled
• When 2FA was set up
• How many backup codes remain

Regenerating Backup Codes

If you've used some backup codes or suspect they've been compromised:

1. Go to Settings > Profile
2. Click Regenerate Backup Codes
3. Verify with your current 2FA code
4. Save the new backup codes securely

Your old backup codes will be invalidated immediately.

Disabling 2FA

To disable two-factor authentication:

1. Go to Settings > Profile
2. Click Disable 2FA
3. Verify with your current 2FA code
4. Confirm the action

Warning: Disabling 2FA reduces your account security. Only disable it if absolutely necessary.

Troubleshooting

"Invalid verification code"

Possible causes:

• Code has expired (codes change every 30 seconds)
• Clock sync issue between your device and server
• Incorrect secret was scanned

Solutions:

1. Wait for a new code and try again
2. Check that your phone's time is set to automatic
3. If problem persists, disable and re-enable 2FA

Locked Out (Lost Authenticator Access)

If you've lost access to your authenticator app:

1. Try a backup code - Enter one of your saved backup codes
2. Contact server admin - They can disable 2FA via command line
3. Emergency reset - See Emergency 2FA Disable

Backup Codes Not Working

• Ensure you're using the correct codes (they're 8 characters)
• Check that the code hasn't already been used
• Codes are case-insensitive

Security Best Practices

Do

• Use a dedicated authenticator app (not SMS)
• Store backup codes in a password manager
• Enable 2FA on all admin accounts
• Regenerate backup codes periodically

Don't

• Share your 2FA secret or backup codes
• Store backup codes in plain text
• Use the same authenticator for multiple services without backup
• Ignore low backup code warnings

Activity Logging

All 2FA-related events are logged:

Technical Details

Secret Storage

• TOTP secrets are encrypted at rest using AES-256
• Backup codes are also encrypted
• Encryption key is derived from AUTH_SECRET