Two-Factor Authentication (2FA)
Secure your account with two-factor authentication. Set up TOTP with an authenticator app, scan QR codes, verify with a 6-digit code, and save backup codes.
What Is 2FA?
Two-Factor Authentication adds an extra layer of security to your account. After entering your password, you'll also need to enter a 6-digit code from an authenticator app on your phone. For more on how we protect your data, see our privacy policy.
Bugalou uses TOTP (Time-based One-Time Password) — compatible with apps like Google Authenticator, Authy, Microsoft Authenticator, and 1Password.
Where to Find 2FA Settings
2FA can be managed from three different locations:
- Profile page (Personal Settings → Profile) — status badge and enable/disable buttons
- Security page (Personal Settings → Security) — toggle switch
- Dedicated 2FA page (Personal settings → Security) — full setup interface
Enabling 2FA
Follow these steps to enable two-factor authentication:
Step 1: Start Setup
Click "Enable Two-Factor Authentication" on any of the 2FA pages. Bugalou calls the setup API to generate your unique secret key.
Step 2: Scan the QR Code
A QR code appears on screen. Open your authenticator app and:
- Tap "Add Account" or the "+" button
- Select "Scan QR Code"
- Point your camera at the QR code
Can't scan? Click "Show secret key" to see the text key you can enter manually.
Step 3: Enter Verification Code
Enter the 6-digit code from your authenticator app into the verification boxes. The input has 6 individual digit boxes with auto-focus — type a number and it automatically moves to the next box.
Step 4: Save Backup Codes
After verification, you'll see a grid of backup codes displayed in 2 columns. These are emergency codes for when you can't access your authenticator app.
- Click "Copy Codes" to copy all codes to your clipboard
- Store them safely — in a password manager, printed, or in a secure location
- Each backup code can only be used once
Disabling 2FA
- Go to any 2FA settings page
- Click "Disable Two-Factor Authentication"
- Enter your current password for confirmation
- 2FA is disabled — you'll only need your password to log in
2FA Status
Your 2FA status is shown on the Profile page with a badge:
- 🔒 Enabled — your account is secured with 2FA
- 🔓 Disabled — 2FA is not active
API Endpoints
For reference, 2FA uses these endpoints:
/api/auth/2fa/status— check if 2FA is enabled/api/auth/2fa/setup— generate QR code and secret/api/auth/2fa/verify— verify a code and activate 2FA/api/auth/2fa/disable— disable 2FA (requires password)