Two-factor Authentication

Two-factor authentication (2FA) adds a time-based one-time code on top of your password. After a successful password sign-in, Conduit prompts for a 6-digit code from your authenticator app (Google Authenticator, Authy, 1Password, etc.) before granting access.

Enable 2FA

  1. Open the user menu and go to Two-factor auth (/app/settings/account/2fa).
  2. Click Set up two-factor authentication.
  3. Scan the QR code with your authenticator app, or copy the manual key into the app.
  4. Enter the current 6-digit code from the app to confirm.
  5. Conduit shows 8 single-use backup codes. Save them now; they are only displayed once. You can copy all codes, download them as a text file, or both.

From this point, every sign-in requires both your password and a fresh authenticator code.

If you sign in via Google or GitHub OAuth, the OAuth provider's own authentication handles the prompt and Conduit does not require an additional 2FA code in that flow. Setting up 2FA still protects password-based sign-ins.

Backup codes

Backup codes let you sign in if you lose access to your authenticator device. Each code works once and is then invalidated.

The Two-factor auth page shows how many codes remain. When you're running low, regenerate a new set:

  1. Open the user menu and go to Two-factor auth.
  2. Expand Regenerate backup codes.
  3. Enter a current authenticator code.
  4. Click Regenerate backup codes. The previous set is invalidated and a new set of 8 is shown; save them in the same way as the original set.

Using 2FA on sign-in

After your password is accepted, you're redirected to the 2FA challenge page. Enter either:

  • a current 6-digit authenticator code, or
  • one of your unused backup codes (in the format XXXXX-XXXXX).

A backup code is consumed even if the sign-in attempt fails for some other reason (e.g. session expiry mid-flow), so don't reuse the same code if you're prompted again.

Lost your authenticator device

If you still have backup codes:

  1. Sign in using a backup code at the 2FA prompt.
  2. Set up a fresh authenticator on a new device (see Enable 2FA). This rotates the TOTP secret.
  3. Regenerate backup codes so the old set is invalidated.

If you have no backup codes and no access to the authenticator, account recovery requires contacting Conduit support; there is no self-service override.

Disable 2FA

  1. Go to Settings → Two-factor auth.
  2. Expand Disable two-factor authentication.
  3. Enter a current authenticator code or a backup code.
  4. Click Disable 2FA.

Disabling clears the TOTP secret and all unused backup codes. Re-enabling later starts the setup flow from scratch.

Next steps

  • Account Settings. Password, timezone, account deletion.
  • API Tokens. Programmatic access bypasses 2FA, so treat tokens with the same care.