Two-Factor Authentication
Two-factor authentication (2FA) adds a second step to login: after your password, you enter a time-based one-time code (TOTP) from an authenticator app. Even if your password is compromised, an attacker cannot log in without the rotating code on your device.
StatusRadar's 2FA is standard TOTP (SHA-1, 6 digits, 30-second period) and works with any authenticator app β Google Authenticator, Authy, 1Password, Microsoft Authenticator, and others.
Before You Start
Install an authenticator app on your phone or in your password manager. All 2FA settings are under Settings β Security (/dashboard/settings?tab=security).
Enabling 2FA
- Go to Settings β Security and start the 2FA setup (
/dashboard/settings/2fa/enable). - StatusRadar generates a secret and displays a QR code plus the secret in text form. Scan the QR code with your authenticator app, or enter the secret manually. The account appears in your app as
StatusRadar.dev:your@email. - Your app now shows a rotating 6-digit code. Enter the current code to confirm setup.
- If the code is correct, 2FA is activated and StatusRadar shows your recovery codes once. Save them before continuing.
The setup secret is held only in your session until you confirm. If you abandon setup, nothing is enabled.
Manual entry details
If you cannot scan the QR code, add the account manually with these parameters:
| Field | Value |
|---|---|
| Account name | your StatusRadar email |
| Issuer | StatusRadar.dev |
| Secret | the displayed base32 secret |
| Type | Time-based (TOTP) |
| Digits | 6 |
| Period | 30 seconds |
| Algorithm | SHA-1 |
Recovery Codes
When you enable 2FA, StatusRadar issues 8 single-use recovery codes in XXXX-XXXX format. Use one in place of an authenticator code if you lose access to your device.
A1B2-C3D4
E5F6-7890
...
Important properties:
- Shown only once. They are displayed immediately after enabling 2FA (and after regenerating). Copy them then β they cannot be retrieved later because only Argon2id hashes are stored.
- Single-use. Each code works once. After a code is used at login, it is consumed and removed.
- Store them offline. A password manager or a printed copy kept somewhere safe is ideal.
Regenerating recovery codes
If you run low, lose your codes, or suspect they leaked, regenerate them from Settings β Security. Regenerating invalidates all previous recovery codes and issues a fresh set of 8, shown once. Your authenticator secret is unchanged β only the backup codes are replaced.
Logging In With 2FA
- Enter your email and password as usual.
- When prompted, enter the current 6-digit code from your authenticator app.
- If you don't have your device, choose to use a recovery code instead and enter one of your unused codes.
You have a limited number of attempts (5) per login before the 2FA challenge is cancelled and you must start the login again. A recovery code used at login is consumed and will not work a second time.
Disabling 2FA
To turn off 2FA, go to Settings β Security and confirm with your account password. Once disabled, login no longer requires a code, and any existing recovery codes are cleared. Re-enabling later generates a brand-new secret and a brand-new set of recovery codes.
Troubleshooting
- "Invalid verification code" during setup or login β the most common cause is clock drift. Make sure your phone's time is set to automatic/network time. StatusRadar accepts the current code plus one step on either side (Β±30s), so a small skew is tolerated, but a large drift will fail.
- Lost your phone and your recovery codes β without either, you cannot complete login. Contact support to verify ownership and reset 2FA.
- Used all recovery codes β regenerate a fresh set from Settings β Security while you still have authenticator access.
Next Steps
- Account Security Overview - All account security controls
- Session Management - Review and revoke active sessions
- API Tokens - Programmatic access tokens