Multilogin.io
Security & Privacy

Two-Factor Authentication

Protect your account with 2FA. Setup authenticator apps, generate backup codes, and recover access if you lose your device. TOTP and SMS options available.

Tyler Johnson
5 min read

Password alone isn't enough. If someone gets your password (phishing, data breach, keylogger), they own your account. Two-factor authentication stops them cold.

How 2FA Works

Login requires two things:

  1. Something you know: Your password
  2. Something you have: Your phone (authenticator app) or phone number (SMS)

Attacker with your password still can't log in without your phone. 99.9% of account takeovers blocked.

Choosing a 2FA Method

We support two methods:

TOTP (Time-Based One-Time Password) - Recommended

  • Uses authenticator app (Google Authenticator, Authy, 1Password)
  • Generates 6-digit codes that change every 30 seconds
  • Works offline (no internet needed)
  • Most secure option

SMS (Text Message)

  • Sends 6-digit code to your phone number
  • Requires cell signal or WiFi calling
  • Vulnerable to SIM swap attacks
  • Better than nothing but not recommended

Use TOTP unless you absolutely can't install an authenticator app.

Setting Up TOTP (Authenticator App)

Step 1: Install Authenticator App

Recommended apps:

  • Google Authenticator: Free, simple, works offline
  • Authy: Free, cloud backup, multi-device
  • 1Password: Paid, integrates with password manager
  • Microsoft Authenticator: Free, push notifications

Download from App Store or Google Play.

Step 2: Enable 2FA in Multilogin

Settings → Security → Two-Factor Authentication → "Enable 2FA" button.

You'll see a QR code and a manual setup key.

Step 3: Scan QR Code

Open your authenticator app → Add account → Scan QR code → Point camera at screen.

The app shows "Multilogin.io" with a 6-digit code that changes every 30 seconds.

Can't scan? Use manual setup key instead. Copy the long alphanumeric string and paste into your app.

Step 4: Verify Setup

Enter the 6-digit code from your app. Click "Verify and Enable."

If code works, 2FA is enabled. If not, check:

  • Clock on phone is accurate (TOTP is time-based)
  • You're entering the code quickly (expires in 30 seconds)
  • You scanned the correct QR code

Step 5: Save Backup Codes

Download 10 backup codes. Each code is single-use. Store somewhere safe (password manager, encrypted file, physical safe).

⚠️ Critical

Save backup codes NOW. If you lose your phone, backup codes are the only way to access your account. Without them, you're permanently locked out.

Setting Up SMS

Settings → Security → Two-Factor Authentication → Select "SMS" → Enter phone number.

We send a verification code to your number. Enter code to verify.

After setup, login sends SMS with 6-digit code. Enter code to complete login.

SMS Limitations:

  • SIM swap attacks can intercept codes
  • Doesn't work in areas with no cell service
  • SMS delivery can be delayed (minutes)
  • International SMS may fail

Logging In with 2FA

Login Flow:

  1. Enter email and password
  2. System prompts for 6-digit code
  3. Open authenticator app → Get current code
  4. Enter code (must be done within 30 seconds)
  5. Check "Trust this device for 30 days" if it's your personal computer
  6. Click "Verify"

Trusted devices don't ask for 2FA code for 30 days. Public computers should never be trusted.

Using Backup Codes

Phone lost or broken? Use backup codes.

Login normally → Enter backup code instead of authenticator code.

Each backup code works once. After using 5 codes, generate new set: Settings → Security → 2FA → "Regenerate Backup Codes."

Account Recovery

Lost phone AND lost backup codes? You're in trouble.

Recovery Options:

  1. Contact Support: Email support@multilogin.io with account proof (payment receipts, old profile names, API keys). We verify identity manually. Takes 3-5 business days.
  2. Security Questions (if enabled): Answer 3 security questions to disable 2FA.

Prevention:

  • Store backup codes in password manager
  • Use Authy with cloud backup (syncs to multiple devices)
  • Enable security questions as backup recovery method
  • Note down your setup key (can re-add to new phone)

Disabling 2FA

Settings → Security → 2FA → "Disable Two-Factor Authentication" button.

Enter current password and 2FA code to confirm.

When to disable:

  • Switching to different authenticator app
  • Replacing lost phone
  • Account transfer

Re-enable immediately after resolving the issue.

2FA for Team Members

Owner can enforce 2FA: Settings → Team → Security Policies → "Require 2FA for all members."

Team members get 7 days to enable 2FA. After deadline, they're locked out until they enable it.

Strongly recommended for:

  • Teams handling sensitive client data
  • Compliance requirements (SOC 2, ISO 27001)
  • High-value accounts (>$10k monthly revenue)

Best Practices

  • Use TOTP, not SMS
  • Store backup codes in password manager
  • Don't trust public computers
  • Enable 2FA on email account too (attacker with email access can reset passwords)
  • Use different authenticator from email (diversify risk)
  • Test backup codes annually (make sure they work)

Secure Your API Keys

Account protected with 2FA. Now secure your API keys, webhook secrets, and automation credentials with proper key management and rotation policies.

Tyler Johnson

Identity & Access Management Lead

Tyler Johnson builds authentication systems at Multilogin.io. He's implemented 2FA for 50,000+ accounts and reduced account takeovers by 99.7%.

Related Guides

Data Encryption

Learn how we protect your data with encryption

API Key Security

Secure your API keys and automation access