Two-factor authentication

Two-factor authentication adds a one-time code requirement to every sign-in. The first factor is your password, the second is a 6-digit number that changes every 30 seconds — generated by an app on your phone (or browser extension) and never sent over the network. This document explains how to set it up on Everguardly, what to do if you lose your authenticator, and how to recover with backup codes.

Why 2FA matters

Passwords get phished, leaked in breaches, and shared between sites. A second factor stops most account takeovers cold: even if your password ends up on the dark web, the attacker still needs the rotating code from your phone. Studies show 2FA blocks 99% of bulk phishing attacks.

Setup walk-through

1. Open Settings → Security and click Enable 2FA.
2. A QR code appears. Open your authenticator app and scan it.
3. Type the 6-digit code your app shows back into Everguardly and click Verify & enable.
4. Everguardly displays 10 backup codes. Copy them into your password manager before clicking Done. We never show them again.

Compatible authenticator apps: Google Authenticator, Microsoft Authenticator, Authy, 1Password, Bitwarden, Aegis, Raivo, and any other RFC 6238 client.

How sign-in changes

Once 2FA is on, every sign-in goes through a one-time-code step after your password. You'll have 30 seconds per code; if it expires while you type, your authenticator shows the next one — submit that instead. The cookie that proves you completed 2FA lasts 30 days per session, so you won't be re-challenged every hour.

Backup codes

Each of the 10 backup codes works exactly once. Use one if your phone is dead, lost, or you're traveling without it. After signing in with a backup code, remove it from your saved list — Everguardly already invalidated it server-side.

Regenerating codes

When you're down to 0–3 codes left, head to Settings → Security and click Regenerate. You'll need a fresh code from your authenticator to confirm — that's a guard against an attacker who steals your session cookie but doesn't have your phone. The 10 new codes replace the old ones; previously-issued codes that you haven't used stop working.

Lost your authenticator?

1. Sign in normally with your email and password.
2. On the 2FA prompt click "I've lost my authenticator — use a backup code".
3. Punch in any unused backup code.
4. Once you're in, head to Settings → Security, Disable 2FA, then re-enable with the new authenticator app.

If your backup codes are also gone, contact support after Setup Day — domain-verified email reset lands in V1.2.

Best practices

• Use a dedicated authenticator app rather than your password manager's TOTP feature where possible — it keeps the second factor separated from the first.
• Print the backup codes and store them physically alongside other recovery documents.
• Don't screenshot the QR code; treat the secret behind it the same way you'd treat a password.

Security trade-offs

We store the TOTP secret server-side so we can verify codes; the secret is what generates the codes, so anyone with it can produce valid codes. In V1 the secret is stored unencrypted in the database — Better Auth's row-level encryption add-on lands at Setup Day. Even today an attacker would need both DB access AND your password to abuse 2FA, but for defense in depth keep an eye out for the Setup Day encryption rollout.