Two-factor authentication (2FA) adds a second login step using a time-based code from an authenticator app on your phone. With 2FA on, even a leaked password won't get someone into your account.
Turning it on
Settings → Security → Two-factor authentication → Enable.
- Scan the QR code with an authenticator app — Google Authenticator, Authy, 1Password, Microsoft Authenticator, or any TOTP-compatible app.
- Enter the 6-digit code from the app to confirm.
- We generate 8 single-use backup codes — print or save them somewhere safe. Each one works exactly once if you lose access to your authenticator.
- 2FA is now on.
From your next login, after your password we'll ask for the 6-digit code.
If you lose your phone
- Backup code at the 2FA prompt. Each one works once.
- Email recovery — at the prompt, click "Lost your code?" and we'll email a magic link. The link signs you in once and lets you disable 2FA or set it up on a new device.
If you've lost both, contact support — be ready to verify identity via your accounting records.
For accountants on client accounts
2FA is on YOUR account, not the client's. When you act-as a client, you're still you with 2FA already verified — no extra step.
Turning it off
Settings → Security → Disable. Requires a current 2FA code or backup code to confirm — prevents someone with just your password from removing the second factor.
When 2FA is required
Recommended for everyone, mandatory for:
- ADMIN role on the platform.
- Verified accountants after KYC approval.
- Anyone managing real customer billing.