> ## Documentation Index
> Fetch the complete documentation index at: https://docs.zerotwo.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Two-Factor Authentication & Security

> Protect your ZeroTwo account with 2FA, backup codes, and session management.

ZeroTwo provides robust account security tools including TOTP-based two-factor authentication, backup codes, session management, and the ability to log out all devices at once. This page covers everything you need to secure your account.

## Two-Factor Authentication (2FA)

Two-factor authentication adds a second verification step at login. Even if someone obtains your password, they cannot access your account without also having access to your authenticator app.

ZeroTwo uses **TOTP** (Time-based One-Time Password) — the standard used by apps like Google Authenticator, Authy, and 1Password.

## Setting Up 2FA

<Steps>
  <Step title="Open Security settings">
    Go to **Settings → Security → Two-Factor Authentication** and click **Enable**.
  </Step>

  <Step title="Open your authenticator app">
    Open your preferred authenticator app on your phone or computer. Compatible apps include:

    * Google Authenticator (iOS / Android)
    * Authy (iOS / Android / Desktop)
    * 1Password (iOS / Android / Desktop)
    * Microsoft Authenticator
    * Any standard TOTP app
  </Step>

  <Step title="Scan the QR code">
    ZeroTwo displays a QR code. Scan it with your authenticator app. If you can't scan the QR code, click **Show setup key** and enter the key manually into your app.
  </Step>

  <Step title="Enter the verification code">
    Your authenticator app will display a 6-digit code that refreshes every 30 seconds. Enter the current code into ZeroTwo to verify that setup was successful.
  </Step>

  <Step title="Save your backup codes">
    After verification, ZeroTwo generates your backup codes. **Save these immediately** in a secure location — you'll need them if you lose access to your authenticator app. More on backup codes below.
  </Step>

  <Step title="2FA is now active">
    Your next login will require both your password and a 6-digit code from your authenticator app.
  </Step>
</Steps>

## Backup Codes

Backup codes are emergency access codes generated when you enable 2FA. Each code is **single-use** — once you use it to log in, it's gone.

**What backup codes are for:**

* Getting into your account if you lose your phone or uninstall your authenticator app
* Recovering access when traveling without your usual device

**How many you get:** ZeroTwo generates 8 or more backup codes when you enable 2FA.

**Where to store them:**

* In your password manager (most secure)
* In an encrypted notes app
* Printed and stored somewhere physically secure

<Warning>
  If you lose access to your authenticator app **and** your backup codes, account recovery may be difficult or impossible. There is no email-based bypass for 2FA — backup codes are the recovery mechanism. Store them securely.
</Warning>

### Regenerating Backup Codes

If you've used most of your backup codes, or if you're concerned they may have been compromised:

1. Go to **Settings → Security → Two-Factor Authentication**
2. Click **Regenerate backup codes**
3. **The old codes are immediately invalidated** — they will no longer work
4. Save your new codes in a secure location right away

## Logging In With 2FA

After you enable 2FA, every login requires an additional step:

1. Enter your email and password as usual
2. ZeroTwo presents a 2FA challenge screen
3. Open your authenticator app and enter the current 6-digit code
4. If you don't have your authenticator app, click **Use a backup code** and enter one of your saved backup codes

## Disabling 2FA

<Steps>
  <Step title="Open Security settings">
    Go to **Settings → Security → Two-Factor Authentication**.
  </Step>

  <Step title="Click Disable">
    Click **Disable 2FA**.
  </Step>

  <Step title="Confirm with your current code">
    Enter a valid 6-digit code from your authenticator app to confirm you have control of the 2FA device.
  </Step>

  <Step title="2FA is disabled">
    Your account no longer requires 2FA at login. You can re-enable it at any time.
  </Step>
</Steps>

<Warning>
  Disabling 2FA reduces your account security. Anyone who obtains your email and password can access your account. Only disable 2FA if you have a specific reason to do so.
</Warning>

## Authenticator Assurance Level (AAL)

ZeroTwo uses **Authenticator Assurance Level (AAL)** to track how your current session was authenticated:

| AAL Level | How it's achieved   | What it means                                                          |
| --------- | ------------------- | ---------------------------------------------------------------------- |
| AAL1      | Password only       | Standard session — authenticated with password                         |
| AAL2      | Password + 2FA code | High-assurance session — you've verified possession of your 2FA device |

Certain high-security operations within ZeroTwo may require AAL2 — meaning if your current session was established without a 2FA challenge, you may be prompted to re-authenticate with your 2FA code before proceeding.

## Session Management

ZeroTwo tracks active sessions across all devices where you're logged in. You can view and manage these sessions to ensure no unauthorized access exists.

### Viewing Active Sessions

1. Go to **Settings → Security → Sessions**
2. See a list of all active sessions including:
   * Device type and name
   * Location (approximate, based on IP)
   * Last active time
   * Current session indicator

### Ending a Specific Session

If you see a session you don't recognize or a device you no longer use:

1. In the Sessions list, find the session you want to end
2. Click the logout icon or **End session** next to it
3. That device will be logged out immediately

### Logout All Devices

The **Logout All Devices** option revokes all active sessions across every device where you're logged in — including your current session.

**Use this if:**

* You've lost a device
* You suspect your account has been accessed without your permission
* You're handing over a device and want to ensure your account isn't accessible

To logout all devices:

1. Go to **Settings → Security**
2. Click **Logout All Devices**
3. Confirm the action
4. All sessions are immediately revoked — you'll need to log in again on every device

<Note>
  After using Logout All Devices, you will be logged out of your current session too. You'll be redirected to the login page.
</Note>

## Authentication Methods

ZeroTwo supports two ways to sign in:

| Method                     | Description                                                        |
| -------------------------- | ------------------------------------------------------------------ |
| **Email + Password**       | Traditional credential-based login. Works with 2FA.                |
| **OAuth (Google, GitHub)** | Sign in with your Google or GitHub account. Fast and passwordless. |

OAuth authentication does not use ZeroTwo-managed passwords. If you signed up with Google or GitHub, you manage your password security through those providers.

## Frequently Asked Questions

<Accordion title="Can I use the same authenticator app across multiple accounts?">
  Yes. Authenticator apps are designed to manage multiple TOTP accounts. You'll have one entry per ZeroTwo account.
</Accordion>

<Accordion title="What if I change phones?">
  Before getting a new phone, transfer your authenticator app to the new device. Most apps (Authy, 1Password, Google Authenticator) have a transfer or export feature. If you already switched phones without transferring, use a backup code to log in and then re-set up 2FA with your new device.
</Accordion>

<Accordion title="Does 2FA work with OAuth (Google/GitHub) login?">
  ZeroTwo's 2FA applies at the ZeroTwo level. If you sign in via Google, Google handles its own MFA. ZeroTwo's TOTP 2FA is a separate, additional layer on top of OAuth.
</Accordion>

<Accordion title="Can I require 2FA for my whole Business org?">
  Org-level 2FA enforcement may be available for Business accounts. Contact ZeroTwo support to ask about enforcing 2FA across all members in your org.
</Accordion>

<Accordion title="I lost my phone and backup codes. What do I do?">
  Contact ZeroTwo support at [reed@zerotwo.ai](mailto:reed@zerotwo.ai). Account recovery without a 2FA method requires identity verification. There is no automated bypass — this is intentional to prevent unauthorized access.
</Accordion>
