Two-Factor Authentication
Add an extra layer of security to your CODITECT account with two-factor authentication (2FA).
What is 2FA?
Two-factor authentication requires two forms of verification:
- Something you know - Your password
- Something you have - Your phone/authenticator app
Even if someone steals your password, they can't access your account without the second factor.
Setting Up 2FA
Using Authenticator App (Recommended)
Works with Google Authenticator, Authy, 1Password, or any TOTP app.
- Go to Settings → Security → Two-Factor Authentication
- Click Enable 2FA
- Select Authenticator App
- Scan QR code with your app:
┌─────────────────────────────────────┐
│ │
│ ██████████████████████████████ │
│ ██ ██ │
│ ██ ████████████████ ██ ██ │
│ ██ ██ ██ ██ ██ │
│ ██ ██ ████████ ██ ██ ██ │
│ ██ ██ ██ ██ ██ ██ ██ │
│ ██ ██ ████████ ██ ██ ██ │
│ ██ ██ │
│ ██████████████████████████████ │
│ │
│ Can't scan? Enter this code: │
│ XXXX XXXX XXXX XXXX │
└─────────────────────────────────────┘
- Enter the 6-digit code from your app
- Save your backup codes (shown only once!)
- Click Enable
Using SMS (Less Secure)
Security Note
SMS 2FA is vulnerable to SIM swapping attacks. We recommend using an authenticator app instead.
- Go to Settings → Security → Two-Factor Authentication
- Click Enable 2FA
- Select SMS
- Enter your phone number
- Enter verification code received via SMS
- Save your backup codes
- Click Enable
Logging In with 2FA
Normal Login
- Enter email and password
- Enter 6-digit code from authenticator app
- Click Verify
┌─────────────────────────────────────┐
│ Two-Factor Authentication │
├─────────────────────────────────────┤
│ │
│ Enter the 6-digit code from your │
│ authenticator app: │
│ │
│ ┌───┐ ┌───┐ ┌───┐ ┌───┐ ┌───┐ ┌───┐ │
│ │ │ │ │ │ │ │ │ │ │ │ │ │
│ └───┘ └───┘ └───┘ └───┘ └───┘ └───┘ │
│ │
│ [Verify] │
│ │
│ Lost access? Use backup code │
└─────────────────────────────────────┘
Using Backup Code
If you can't access your authenticator:
- Click Use backup code on 2FA screen
- Enter one of your backup codes
- Click Verify
One-Time Use
Each backup code works only once. After use, it's invalid.
Managing 2FA
View 2FA Status
Go to Settings → Security → Two-Factor Authentication:
┌─────────────────────────────────────┐
│ Two-Factor Authentication │
├─────────────────────────────────────┤
│ Status: ✅ Enabled │
│ Method: Authenticator App │
│ Enabled: January 1, 2026 │
│ │
│ [View Backup Codes] [Disable 2FA] │
└─────────────────────────────────────┘
Regenerate Backup Codes
If you've used backup codes or want new ones:
- Go to Settings → Security → Two-Factor Authentication
- Click View Backup Codes
- Enter your current 2FA code
- Click Regenerate Codes
- Save new codes securely
Old codes become invalid when you regenerate.
Change 2FA Method
To switch from SMS to Authenticator (or vice versa):
- Disable current 2FA method
- Enable new method
- New backup codes are generated
Disable 2FA
Security Risk
Disabling 2FA reduces account security. Only disable if absolutely necessary.
- Go to Settings → Security → Two-Factor Authentication
- Click Disable 2FA
- Enter your password
- Enter current 2FA code
- Confirm action
Recovery Options
Lost Authenticator Device
If you have backup codes:
- Login with email/password
- Use a backup code
- Set up 2FA on new device
If you don't have backup codes:
- Contact 1@az1.ai
- Verify identity (requires photo ID)
- Support will disable 2FA after verification
- Set up 2FA again immediately
Lost Phone Number (SMS 2FA)
- Contact 1@az1.ai
- Verify identity
- Update phone number after verification
Best Practices
Choosing a Method
| Method | Security | Convenience |
|---|---|---|
| Authenticator App | ⭐⭐⭐ | ⭐⭐⭐ |
| Hardware Key (future) | ⭐⭐⭐⭐ | ⭐⭐ |
| SMS | ⭐⭐ | ⭐⭐⭐ |
Storing Backup Codes
Do:
- Store in password manager
- Print and keep in secure location
- Store in encrypted file
Don't:
- Save in unencrypted notes
- Store on device without protection
- Share with others
Recommended Apps
| App | Platform | Features |
|---|---|---|
| 1Password | All | Password manager + TOTP |
| Authy | All | Cloud backup, multi-device |
| Google Authenticator | iOS, Android | Simple, no account needed |
| Microsoft Authenticator | All | Enterprise features |
Organization Requirements
Requiring 2FA for Members
Org admins can require 2FA:
- Go to Organization → Settings → Security
- Enable Require 2FA for all members
- Set grace period (7/14/30 days)
Members without 2FA will:
- See reminder on login
- Be required to set up 2FA after grace period
- Lose access if not compliant
Checking Team Compliance
View 2FA status for all members:
- Go to Organization → Members
- Filter by 2FA Status:
- ✅ Enabled
- ⚠️ Not enabled
- ⏳ Grace period
Enforcement Timeline
| Day | Action |
|---|---|
| 0 | Requirement enabled |
| 0-7 | Reminder on login |
| 7 | Daily email reminders |
| Grace period end | Access restricted until 2FA enabled |
Troubleshooting
Code Not Working
- Check time sync - Your device clock must be accurate
- Wait for new code - Codes refresh every 30 seconds
- Verify correct account - Check app shows "CODITECT"
- Try backup code - If issue persists
Time Sync Issues
Authenticator apps use time-based codes. If your clock is off:
Android:
- Settings → Date & Time
- Enable "Automatic date & time"
iOS:
- Settings → General → Date & Time
- Enable "Set Automatically"
Multiple Accounts
If you have multiple CODITECT accounts:
- Each needs separate 2FA setup
- Authenticator will show multiple entries
- Label accounts clearly in app
Security Considerations
Why 2FA Matters
| Attack | Without 2FA | With 2FA |
|---|---|---|
| Password leak | ❌ Vulnerable | ✅ Protected |
| Phishing | ❌ Vulnerable | ⚠️ Partially protected |
| Brute force | ❌ Vulnerable | ✅ Protected |
| SIM swap | N/A | ⚠️ SMS vulnerable |
Limitations
2FA protects against:
- ✅ Password theft
- ✅ Credential stuffing
- ✅ Most phishing attacks
2FA doesn't protect against:
- ❌ Malware on your device
- ❌ Real-time phishing (rare)
- ❌ Physical access to unlocked device