Two-Factor Authentication (2FA)
Two-Factor Authentication adds an extra layer of security to your Xermius account by requiring both your password and a verification code from your mobile device.
What is 2FA?
Two Factors of Authentication
Something you know:
- Your password
Something you have:
- Your mobile device with authenticator app
- Generates time-based codes (TOTP)
How It Works
1. Enter username & password
↓
2. Enter 6-digit code from app
↓
3. Access granted ✓
Without your phone, even if someone has your password, they cannot access your account.
Why Enable 2FA?
Security Benefits
✅ Prevents unauthorized access - Even if password is compromised
✅ Protects sensitive data - Hosts, SSH keys, credentials
✅ Industry best practice - Required by many organizations
✅ Peace of mind - Sleep better knowing account is secure
When 2FA is Required
- Enterprise plans - Mandatory for all users
- Team accounts - Admin can require for all members
- API access - Required for generating API tokens
- Payment changes - Extra verification for billing
Setting Up 2FA
Prerequisites
You'll need:
- Xermius account (signed in)
- Smartphone or tablet
- Authenticator app installed
Step 1: Choose Authenticator App
Install one of these apps on your mobile device:
Recommended Apps:
Google Authenticator
- iOS: App Store
- Android: Play Store
- ✓ Free
- ✓ Simple
- ✓ Reliable
Microsoft Authenticator
- iOS: App Store
- Android: Play Store
- ✓ Free
- ✓ Cloud backup
- ✓ Push notifications
Authy
- iOS: App Store
- Android: Play Store
- ✓ Free
- ✓ Multi-device sync
- ✓ Cloud backup
1Password
- iOS/Android: 1Password
- ✓ Password manager + 2FA
- ✓ Cloud backup
- ✓ Paid (subscription)
Step 2: Enable 2FA in Xermius
- Sign in to your Xermius web dashboard
- Navigate to Security → Two-Factor Authentication
- Click "Enable Two-Factor Authentication" button
Step 3: Scan QR Code
┌─────────────────────────────────────────┐
│ Setup Two-Factor Authentication │
├─────────────────────────────────────────┤
│ │
│ Scan this QR code with your │
│ authenticator app: │
│ │
│ ┌─────────────────┐ │
│ │ █▀▀▀▀▀█ ▀ █▀▀▀│ │
│ │ █ ███ █▀█ ▀ ▀ │ │
│ │ █ ▀▀▀ █ ██▄▀▀ │ │
│ │ ▀▀▀▀▀▀▀ ▀ █ █ │ │
│ │ ▀ █▀▀█▀ █ ▀▀▀ │ │
│ └─────────────────┘ │
│ │
│ Or enter this code manually: │
│ JBSWY3DPEHPK3PXP │
│ │
│ Account: user@xermius.com │
│ Issuer: Xermius │
│ │
│ [Continue] │
└─────────────────────────────────────────┘
To Scan:
- Open authenticator app
- Tap "+" or "Add Account"
- Select "Scan QR Code"
- Point camera at QR code
- Account added to app
Manual Entry:
- Tap "Enter Setup Key" in app
- Enter:
- Account:
user@xermius.com - Key:
JBSWY3DPEHPK3PXP
- Account:
- Click "Add"
Step 4: Verify with Code
After scanning/entering:
┌─────────────────────────────────────────┐
│ Verify Two-Factor Authentication │
├─────────────────────────────────────────┤
│ Enter the 6-digit code from your app: │
│ │
│ ┌───┬───┬───┬───┬───┬───┐ │
│ │ 1 │ 2 │ 3 │ 4 │ 5 │ 6 │ │
│ └───┴───┴───┴───┴───┴───┘ │
│ │
│ Code expires in: 24 seconds │
│ │
│ [Cancel] [Verify Code] │
└─────────────────────────────────────────┘
- Open authenticator app
- Find Xermius account
- Note the 6-digit code
- Enter code (you have 30 seconds)
- Click "Verify Code"
Step 5: Save Recovery Codes
IMPORTANT: Save these codes in a safe place!
┌─────────────────────────────────────────┐
│ Save Your Recovery Codes │
├─────────────────────────────────────────┤
│ Use these codes if you lose access to │
│ your authenticator app. Each code can │
│ only be used once. │
│ │
│ 1. ABCD-EFGH-IJKL-MNOP │
│ 2. QRST-UVWX-YZAB-CDEF │
│ 3. GHIJ-KLMN-OPQR-STUV │
│ 4. WXYZ-ABCD-EFGH-IJKL │
│ 5. MNOP-QRST-UVWX-YZAB │
│ 6. CDEF-GHIJ-KLMN-OPQR │
│ 7. STUV-WXYZ-ABCD-EFGH │
│ 8. IJKL-MNOP-QRST-UVWX │
│ │
│ [Download] [Print] [Copy] │
│ │
│ [✓] I have saved these codes │
│ │
│ [Continue] │
└─────────────────────────────────────────┘
How to Save:
Option 1: Download (Recommended)
- Click "Download"
- Save to secure location
- Encrypt the file
- Back up to multiple locations
Option 2: Print
- Click "Print"
- Print on paper
- Store in safe place (fireproof safe, bank vault)
Option 3: Password Manager
- Copy codes
- Save in password manager (1Password, LastPass, etc.)
- Add note: "Xermius 2FA Recovery Codes"
⚠️ Warning:
- Do not lose these codes!
- Without them, you may lose account access if you lose your phone
- Store securely but accessibly
Step 6: Success!
✓ Two-Factor Authentication Enabled
Your account is now protected with 2FA.
You will need your authenticator app
each time you sign in.
[Done]
Using 2FA to Sign In
Normal Sign In Process
-
Enter credentials:
Email: user@xermius.com
Password: •••••••••••••••• -
Click "Sign In"
-
Enter 2FA code:
┌──────────────────────────────┐
│ Two-Factor Authentication │
├──────────────────────────────┤
│ Enter code from your app: │
│ │
│ ┌───┬───┬───┬───┬───┬───┐│
│ │ 1 │ 2 │ 3 │ 4 │ 5 │ 6 ││
│ └───┴───┴───┴───┴───┴───┘│
│ │
│ [Use Recovery Code] │
│ │
│ [ Verify ] │
└──────────────────────────────┘ -
Open authenticator app
-
Enter 6-digit code
-
Click "Verify"
-
Signed in! ✓
Trust This Device
┌──────────────────────────────────────┐
│ Trust This Device? │
├──────────────────────────────────────┤
│ Don't ask for 2FA code on this │
│ device for 30 days. │
│ │
│ Only trust devices you own. │
│ │
│ [✓] Trust this device │
│ │
│ [Continue] │
└──────────────────────────────────────┘
When to trust:
- ✓ Your personal computer
- ✓ Your work computer
- ✓ Your tablet
When NOT to trust:
- ✗ Public computers
- ✗ Shared computers
- ✗ Internet cafes
- ✗ Friend's devices
Recovery Codes
What are Recovery Codes?
- Backup codes for when you don't have your phone
- One-time use - Each code works only once
- 8 codes provided - Generate more when running low
When to Use Recovery Codes
Use a recovery code if you:
- Lost your phone
- Phone is broken/dead
- Uninstalled authenticator app
- Factory reset phone
- Can't access authenticator app
Using a Recovery Code
- Sign in with email and password
- On 2FA screen, click "Use Recovery Code"
- Enter one of your saved recovery codes
- Click "Verify"
- You're in! ✓
After using a code:
- Code is consumed (can't reuse)
- You have 7 codes left
- Consider regenerating codes
Regenerating Recovery Codes
If running low:
- Sign in to dashboard
- Go to Security → Two-Factor Auth
- Click "Regenerate Recovery Codes"
- Enter password to confirm
- Save new codes (old ones are invalidated)
Warning: Old codes stop working immediately!
Managing 2FA
View 2FA Status
Check if 2FA is enabled:
- Go to Security → Two-Factor Auth
- See status:
Status: ✓ Enabled
Enabled on: Oct 15, 2024
Last used: Oct 17, 2024 10:30 AM
Trusted devices: 2
Recovery codes remaining: 8
Disable 2FA
⚠️ Not Recommended - Reduces security
- Go to Security → Two-Factor Auth
- Click "Disable Two-Factor Authentication"
- Enter password
- Enter current 2FA code
- Confirm: "Yes, Disable 2FA"
Account is less secure now!
Reset 2FA
If you changed phones or apps:
- Disable current 2FA
- Re-enable and scan new QR code
- Save new recovery codes
Change Authenticator App
Switching apps (e.g., Google Auth → Authy):
- Don't disable 2FA yet
- Install new app on same phone
- Disable 2FA (need old app for this)
- Re-enable 2FA
- Scan QR with new app
- Save new recovery codes
- Uninstall old app
Troubleshooting
Code Doesn't Work
Causes:
- Time Synchronization
- Codes are time-based (TOTP)
- Your phone's clock must be accurate
Solution:
iPhone: Settings → General → Date & Time →
Enable "Set Automatically"
Android: Settings → System → Date & time →
Enable "Use network-provided time"
-
Wrong Code
- Codes change every 30 seconds
- Enter code before it expires
-
Wrong Account
- Multiple Xermius accounts?
- Make sure you're looking at the right one in app
Lost Phone
You have recovery codes:
- Use recovery code to sign in
- Disable 2FA
- Get new phone
- Re-enable 2FA
You DON'T have recovery codes:
- Contact support: support@xermius.com
- Provide proof of identity
- Support will disable 2FA
- Sign in and re-enable
Proof of identity may include:
- Previous payment receipts
- Host configurations
- Account details
- ID verification
Wrong Time on Phone
Symptom: Codes always invalid
Solution:
- Enable automatic time
- Or manually set correct time
- Generate new code and try again
Can't Scan QR Code
Solutions:
Option 1: Manual Entry
- Use the text code instead
- Enter in authenticator app manually
Option 2: Better Lighting
- Increase screen brightness
- Reduce glare
- Clean phone camera
Option 3: Zoom In
- Make QR code larger
- Easier for camera to scan
Lost Recovery Codes
If 2FA still enabled:
- Sign in normally (with phone)
- Regenerate recovery codes
- Save new ones
If 2FA enabled but can't sign in:
- Contact support
- Provide identity proof
- Support will assist
Best Practices
1. Keep Phone Secure
Your authenticator app is a key to your account:
- Set phone lock screen password/PIN/biometric
- Don't root/jailbreak phone
- Keep OS updated
- Use reputable authenticator apps
2. Backup Authenticator
Multiple Devices:
- Some apps support multiple devices (Authy)
- Install on phone AND tablet
- Both generate same codes
Cloud Backup:
- Use apps with cloud backup (Authy, Microsoft Authenticator)
- Syncs across devices
- Restore if phone is lost
3. Store Recovery Codes Safely
Physical Storage:
- Fireproof safe
- Bank safe deposit box
- With important documents
Digital Storage:
- Password manager (encrypted)
- Encrypted USB drive
- Cloud storage (encrypted)
Don't:
- Plain text file on computer
- Unencrypted email
- Photo in phone gallery
- Sticky note on monitor
4. Regular Review
Every 3-6 months:
- Check trusted devices
- Revoke old/unknown devices
- Regenerate recovery codes if needed
- Update authenticator app
5. Have a Plan
What if you lose your phone?
- Use recovery code to sign in
- Disable 2FA temporarily
- Set up new phone
- Re-enable 2FA
- Generate new recovery codes
2FA and Team Accounts
Admin Controls
Team admins can:
- Require 2FA for all team members
- View 2FA status of team members
- Enforce 2FA for specific roles
- Set grace period for enabling 2FA
Team Member Requirements
If admin requires 2FA:
- You'll see a warning: "2FA Required"
- Grace period: 7 days to enable
- After deadline: Cannot access team resources until enabled
- Follow setup steps above