Two-factor authentication is optional for users, mandatory for admins. To enable:
- Open /app/account/2fa.
- Scan the QR code with Google Authenticator, 1Password, Authy, or any RFC 6238 TOTP app.
- Enter the 6-digit code to confirm.
- Download the 10 recovery codes (you only see them once - store them in a password manager).
From the next login, you'll be asked for the 6-digit code after your password. Recovery codes work if you lose access to the authenticator. Each recovery code is single-use.