Getting Started
Two-Factor Authentication (2FA)
Add a second layer of security to your account with TOTP-based two-factor authentication.
Two-Factor Authentication (2FA)
Two-factor authentication adds a second layer of security to your AegisRunner account. Even if someone obtains your password, they cannot access your account without the time-based code generated by your authenticator app.
How 2FA Works
AegisRunner uses the TOTP (Time-based One-Time Password) standard, compatible with all major authenticator apps. When 2FA is enabled, logging in requires both your password and a 6-digit code that refreshes every 30 seconds.
Compatible apps: Google Authenticator, Authy, 1Password, Bitwarden, Microsoft Authenticator, and any TOTP app.
Enabling 2FA
- Navigate to Settings > Security.
- Click Enable in the Two-Factor Authentication card.
- Scan the QR code with your authenticator app, or manually enter the secret key.
- Enter the 6-digit verification code to confirm.
- Save your backup codes immediately.
Save your backup codes now. They are only shown once. If you lose your authenticator and backup codes, you will be locked out.
Backup Codes
8 single-use backup codes are generated. Each is in XXXXXXXX-XXXXXXXX format, SHA-256 hashed before storage. Regenerate from Settings > Security (invalidates previous codes).
Recovery
- Enter your email and password on login.
- Enter a backup code instead of the 6-digit authenticator code.
- Disable and re-enable 2FA with your new device.
Disabling 2FA
- Go to Settings > Security.
- Click Disable.
- Enter your password and a current authenticator code.
Security Details
| Property | Value |
|---|---|
| Algorithm | TOTP (RFC 6238) with SHA-1 |
| Code length | 6 digits, 30-second rotation |
| Secret encryption | AES-256-GCM at rest |
| Backup codes | 8 codes, SHA-256 hashed, single-use |
| Pending session | 5 minutes |