Main menu

Two-factor authentication

2FA support in Loco

Loco currently supports two-factor authentication via SMS and (TOTP) authenticator apps.

Once activated, you'll have to enter a six-digit code every time you enter your email and password to log in to the Loco dashboard.

Enabling 2FA via SMS

To enable this feature you need add a phone number capable of receiving SMS (text messages).

Open your user profile from the account menu (top right) and select the Security tab. Click "Add a phone number" and follow the on-screen prompts to verify that the number works.

You can add more than one phone number in case you have problems accessing one of your devices.

We don't use your phone number for any purpose other than authentication. We will never call you.

Enabling 2FA via an authenticator app

To enable this feature you need access to a third party app (such as Authy or Google Authenticator) capable of generating TOTP codes (Time-Based One-Time Passwords).

To link your app to Loco, open your user profile from the account menu (top right) and select the Security tab. Click "Add authenticator app" and scan the QR code that appears. Follow the on-screen prompts to verify that the authenticator works, then enable it as your primary 2FA method by clicking "Activate".

Recovery codes

When 2FA is enabled you will be provided with a single recovery code for each 2FA method you've added.

If you lose access to your device you can enter this code to bypass 2FA and log in straight away. Recovery codes can only be used once. If you want to continue using the bypassed 2FA method after successful recovery, you'll have to repeat the verification process and generate a new recovery code.

You don't have to store your recovery code, but keep it safe if you do. Anyone in possession of this code can get around the extra protection that 2FA provides.

We don't store your codes; we treat them like passwords and store a strong hash instead. If you lose your code you will have to generate a new one. Find the relevant authenticator in your security settings and click the :revert icon:.

Disabling 2FA

You can disable 2FA by removing all registered authenticators (and phone numbers) from your profile. Open your security settings and click the :trash icon: against each number.

Staying signed in

Clicking the option to stay signed in means you won't have to keep entering 2FA codes on the same device (browser).

Last updated by