Two-Factor Authentication

Turn on 2FA to require a second factor — a 6-digit code from your phone — at every sign-in. Even if your password leaks, your account stays locked.

What AegisRunner uses

AegisRunner uses TOTP (RFC 6238), the open standard supported by every major authenticator app. There's no SMS option — SMS-based 2FA has been compromised too many times to recommend.

Compatible apps include Google Authenticator, Authy, 1Password, Bitwarden, Microsoft Authenticator, Aegis, Raivo, or any TOTP-capable password manager.

Turning it on

1. Go to Settings → Security.
2. Click Enable on the Two-Factor Authentication card.
3. Scan the QR code with your app, or enter the secret manually.
4. Enter the 6-digit code your app shows to confirm.
5. You'll be shown 8 backup codes. Save them now — they're shown once and never again.

Signing in with 2FA

Once enabled, every sign-in adds a step:

1. Enter email and password.
2. Enter the 6-digit code from your app.

The code refreshes every 30 seconds. There's a small grace window — codes from up to 30 seconds ago are accepted to handle clock drift.

Backup codes

You get 8 single-use backup codes when you enable 2FA. Each looks like XXXXXXXX-XXXXXXXX. Store them in:

• A password manager (most have a secure-notes feature).
• A printed copy in a safe.
• An encrypted note on a different device than your primary auth device.

Don't store them in plain-text email or in a Google Doc.

To regenerate codes (e.g. after using a few), go to Settings → Security → Regenerate backup codes. This invalidates all previous codes.

Recovering account access

If you've lost access to your authenticator:

1. At sign-in, click Use a backup code on the 2FA prompt.
2. Enter one of your unused backup codes.
3. Once signed in, immediately go to Settings → Security, disable 2FA, and re-enable it on a new device.

If you've lost both your authenticator and your backup codes, you'll need to email support@aegisrunner.com with proof of identity. We can disable 2FA on your account so you can sign in and re-enroll, but this takes time and identity verification — not an instant process.

Disabling 2FA

From Settings → Security, click Disable on the 2FA card. You'll be asked to enter your current 2FA code to confirm. Disabling clears your TOTP secret and backup codes from our systems.

How it's stored on our side

• The TOTP secret is encrypted with AES-256 at rest. We never log it, never display it after enrollment.
• Backup codes are SHA-256 hashed before storage — we can verify a code, not retrieve it.
• If our database were dumped, an attacker still couldn't generate valid codes for your account.

2FA and SSO

If your organization uses SSO/SAML, 2FA at AegisRunner is optional — your IdP usually enforces a stronger second factor (FIDO2, hardware tokens). For non-SSO accounts and for org admins who can sign in with email + password, 2FA is strongly recommended and can be enforced organization-wide on Business+.

Enforcing 2FA for your team Business+

Org Owners and Admins on Business+ can require 2FA for all members:

1. Go to Settings → Security → Organization Security.
2. Toggle Require 2FA.
3. Existing members get 30 days to enroll; new members must enroll before signing in.

Members who can't enroll within the grace period get an email reminder 7 days, 3 days, and 1 day before lockout.

Common questions

Related

• Account Settings
• SSO / SAML Setup
• Roles & Permissions