Two-Factor Authentication

Two-factor auth (2FA) adds a TOTP code on top of the password at sign-in. Geekonomics uses standard RFC-6238 TOTP, so any authenticator app works — Google Authenticator, Authy, 1Password, Bitwarden, the iOS Passwords app.

Turning It On

Go to Settings → Two-Factor Authentication and click Enable. You'll see:

1. A QR code. Scan it with your authenticator app. The app will start generating a six-digit code that rotates every 30 seconds.
2. A field to confirm the current code from the app. Type it and click Verify.
3. Ten backup codes. Save these somewhere safe. Each one can be used exactly once to sign in if you lose your authenticator device.

After confirming, 2FA is active. Sign out and sign back in to test it — you'll enter your password, then a separate screen will ask for the six-digit code.

Signing In With 2FA

Once enabled, the sign-in flow is:

1. Enter email and password.
2. If correct, Geekonomics asks for the TOTP code. The session holds your auth state for five minutes while you grab the code.
3. Enter the code and you're in.

If your authenticator isn't available, click Use a backup code and paste one of the ten codes you saved. The code is consumed and won't work a second time.

Backup Codes

Backup codes are stored hashed (bcrypt) — once you've left the setup page, neither you nor an admin can re-read them. If you've lost them, head to Settings → Two-Factor Authentication and click Regenerate Backup Codes (you'll be asked to confirm your password). This invalidates the old codes and issues ten new ones.

Disabling 2FA

Click Disable on the same settings page. You'll be asked to confirm your password and a current TOTP code. The secret and backup codes are deleted.

Org-Wide Requirement

An admin can require 2FA for everyone in Settings → Security. Users who haven't enabled it yet are prompted to set it up on their next sign-in before they can access anything else.

What's next

User Management — adding users who'll need to enroll.