2FA support in Loco

Loco currently supports two-factor authentication via SMS. Other methods will be added in future.

Once enabled you will be sent an authentication code every time you enter your email and password to log in to the Loco dashboard.

Enabling 2FA

To enable this feature you need add a phone number capable of receiving SMS (text messages).

Open your user profile from the account menu (top right) and select the Security tab. Click "Add a phone number" and follow the on-screen prompts to verify that the number works.

You can add more than one phone number in case you have problems accessing one of your devices.

We don't use your phone number for any purpose other than authentication. We will never call you.

Recovery codes

When 2FA is enabled you will be provided with a single recovery code for the specific number being added.

If you lose access to your device you can enter this code to disable 2FA and log in straight away. Recovery codes can only be used once. If you want to continue using 2FA after a successful recovery you will have to go though the setup process to enable the number again and get a new recovery code.

You don't have to store your recovery code, but keep it safe if you do. Anyone in possession of this code can get around the extra protection that 2FA provides.

We don't store your codes; we treat them like passwords and store a strong hash instead. If you lose your code you will have to generate a new one. Find the relevant phone number in your security settings and click the :key icon:.

Disabling 2FA

You can disable 2FA by removing all registered phone numbers from your profile. Open your security settings and click the :trash icon: against each number.

As long as at least one number is active you will be prompted to enter a code when you log in.

Staying signed in

Clicking the option to stay signed in means you won't have to keep entering 2FA codes on the same device (browser).