Two-factor authentication (2FA) adds an extra layer of security to your GrapheneDB account.
Once enabled, you’ll be asked to verify your identity each time there is an attempt to sign in to your account. In order to verify your identity, you will be asked to enter a one-time verification code.
This extra layer of security means even if your password is compromised or stolen, malicious login attempts will be blocked if the necessary verification code is not provided.
For these reasons, we **strongly encourage all users to turn on 2FA** for their accounts.
## Enabling two-factor authentication
Before you begin, please make sure that you’ve downloaded an authenticator app for your phone. We recommend Google Authenticator ([Android](🔗), [iOS](🔗)) or [Authy](🔗) ([Android](🔗), [iOS](🔗)). Alternatively, you can also receive verification codes via SMS.
To turn on two-factor authentication on GrapheneDB, please navigate to the _Account_ section and click on _Enable 2FA_ button at the end of the _Settings_ page.
A new window will be displayed. Please follow the instructions to activate 2FA:
**1. Scan the code and enter the validation code from your authenticator app**
When you scan the QR code generated on our website, the authentication application of your choice will generate a verification code. This code is used to sync your account with our servers, and generate subsequent verification codes. Enter this code on and click _Continue_.
**2. Download recovery codes**
We will show you a list of 10 alphanumeric recovery codes. These codes are a fallback mechanism so you can log in to GrapheneDB should you lose access to app or phone.
Please, copy or download these codes and keep them safe! If you can't access your device for any reason, you will need them to access your account again.
**3. Adding a fallback phone number**
In addition to your authenticator application, you can also add a fallback phone number to your account. This would ensure you would have a backup way to verify your identity should you lose access to your authenticator app (your phone gets stolen or wiped).
An SMS can be sent to the phone number during login to recover access to your account in case you lose access to your authenticator app (e.g. if your phone is wiped) and you don’t have access to your recovery codes (see below).
## Managing recovering options
## Recovery codes
Recovery codes are provided as a backup way to verify your identity should you lose access to the application you typically use to authenticate. We will provide you with a list of 10 recovery codes after 2FA is enabled on your account. These codes are only shown once, therefore we strongly recommend that you copy/download them and keep them safe.
### Regenerating recovery codes
If for any reason your recovery codes are lost or compromised, you can regenerate them. This action will invalidate the old recovery codes and you should copy/download the new recovery codes.
To regenerate recovery codes, navigate to the _Account_ menu, scroll down to the _Two-factor authentication_ section and click on _Create new recovery codes_.
## Managing your fallback phone number
## Adding a fallback phone number
If you did not add a fallback phone number during activation, you’ll be able to add it anytime from the _Two-factor authentication_ section.
Once your phone is validated, you will see this reflected in the Two-factor authentication section.
## Editing and removing your fallback phone number
If you have successfully added a fallback phone number, you will be able to edit the number or remove it at anytime from the _Two-factor authentication_ section.
## Disabling two-factor authentication
You can disable two-factor authentication by clicking on _Disable 2FA_ button in the _Two-factor authentication_ in the _Settings_ page.
## Signing in with 2FA
With 2FA enabled, you will be asked to provide a 2FA authentication code in addition to your password, when signing in to GrapheneDB.
By default, the 2FA authentication code will be generated by a time-based one-time password application (TOTP). If you have configured a fallback phone number, you can also have a code delivered to your phone via SMS.
## Using a TOTP application
Once you have configured a TOTP application on your smartphone, such as a Google Authenticator or Authy, the app can generate a 2FA authentication for GrapheneDB at any time.
After entering your email address and password, you’ll be asked for a two-factor authentication code. In most cases, launching the application will generate a new code. Please refer to your application’s documentation for specific usage instructions.
Should you lose your phone or delete the application from your phone, you’ll need to use a recovery code or a code sent to your fallback phone (if you have configured any) to access your account.
## Using your fallback number
If you have configured a fallback phone number, you’ll be able to get an SMS in case you don’t have access to your TOTP app, by clicking on _get a code via SMS_.
Please enter the 6-digit code you should have received via SMS. If you don’t receive an SMS within a couple of minutes, you can retry the operation, by clicking on _Resend SMS_.
## Using recovery codes
After entering your credentials in the login page, you will be requested to enter your two-factor code. In case you can’t access your authenticator app, you can use your recovery codes by clicking on the bottom link _Enter a recovery code_.
Please note:
**each recovery code is only valid once**. Ensure you will have valid codes to enter next time by regenerating them as needed.
## Recovering from a lockout
Please don’t reset your password if you have been locked out due to a 2FA issue.
To prevent a lockout, we strongly encourage you to always keep a copy of your recovery codes safe, and to add a fallback phone number.
If you have lost access to your authenticator app and recovery codes, and you didn’t add a fallback phone number, please contact us at [[email protected].](🔗)
We will try to verify the ownership of your account to the best of our ability.