Skip to content

Setting Up Two-Factor Authentication

Two-factor authentication (2FA) adds a second check to your sign-in: alongside your password, Validibot asks for a short, one-time code that only your phone can generate. Even if someone phishes your password, they can't get in without your device.

2FA is optional. You can turn it on today and turn it off tomorrow — your password alone will always sign you in until you activate it, and deactivating it takes you back to password-only at any time.

What you'll need

  • A device you can keep near your computer when signing in — usually your phone.
  • A time-based one-time password (TOTP) app installed on that device. Any modern authenticator works; popular choices include Aegis (Android, free and open-source), 1Password, Bitwarden, Authy, and Google Authenticator.

Turn on two-factor authentication

  1. Sign in to Validibot.
  2. Open the user menu in the top-right and choose Security.
  3. Under Authenticator app, click Set up authenticator.
  4. Validibot shows a QR code. Open your authenticator app, choose "add account" or the equivalent, and scan the code. The app adds an entry labelled Validibot with your email.
  5. The app now shows a six-digit code that changes every thirty seconds. Type the current code into the Validibot activation page and submit.
  6. Validibot shows your recovery codes — ten single-use backup codes. Copy them into your password manager or print them and store them somewhere safe. You'll need one of these if you ever lose access to your authenticator app.

That's it — the next time you sign in, Validibot will ask for a six-digit code after you enter your password.

Sign in with two-factor enabled

  1. Enter your email and password as usual.
  2. Validibot prompts you for your authenticator code. Open your app, copy the six digits for Validibot, and enter them.
  3. You're in.

If your code doesn't work, first check that your phone's clock is accurate — TOTP depends on both sides agreeing on the time. Most phones sync their clock automatically; if yours has drifted, the code will be rejected.

Using a recovery code

If you lose your phone, forget to bring it, or your authenticator app stops working, you can sign in with a recovery code instead.

  1. On the two-factor prompt, click the link that says "Use a recovery code."
  2. Paste one of your saved codes.
  3. You're signed in. That code is now used up and will never work again — you have nine left.

We recommend regenerating your recovery codes from the Security page whenever you're down to the last couple. Regenerating invalidates the old set immediately, so always save the new codes before closing the page.

Turn two-factor authentication off

  1. Open the user menu and choose Security.
  2. Under Authenticator app, click Deactivate authenticator and confirm.

Password-only sign-in is restored. You can reactivate 2FA any time by repeating the setup steps above — your recovery codes will be regenerated when you do.

Troubleshooting

My code is always rejected. Check that your phone's clock is set to sync automatically with the network, then try the next code that rolls around. If that still fails, deactivate from Security (if you're currently signed in) or contact your administrator.

I lost my phone and my recovery codes. If you're on a self-hosted installation, an administrator can remove your authenticator entries from the Django admin. On Validibot Cloud, contact support to verify your identity and reset your account.

The QR code won't scan. Most apps also let you type the secret in by hand. Click "Can't scan?" on the activation page to reveal the text form of the secret.