> ## Documentation Index
> Fetch the complete documentation index at: https://docs.supadir.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Secure your account with two-factor authentication (2FA)

> Enable TOTP two-factor authentication to protect your catalog admin account.

Two-factor authentication (2FA) adds a second verification step every time you log in. Even if your password is stolen, an attacker cannot access your account without your phone.

Supadir uses **TOTP** (Time-based One-Time Password) — the same standard used by Google, GitHub, and most banks. You'll need an authenticator app on your phone.

## Recommended authenticator apps

* **Google Authenticator** (iOS / Android) — simple and reliable
* **Authy** (iOS / Android / Desktop) — supports cloud backup of your codes
* **1Password** or **Bitwarden** — if you already use a password manager with built-in TOTP

## Enabling 2FA

<Steps>
  <Step title="Go to Security settings">
    In your admin panel, go to **Settings → Security** and click **Set up two-factor authentication**.
  </Step>

  <Step title="Scan the QR code">
    Open your authenticator app and scan the QR code shown on screen. If you can't scan it, click **Show manual key** and enter the code by hand.
  </Step>

  <Step title="Verify the setup">
    Enter the 6-digit code shown in your authenticator app to confirm the setup worked.
  </Step>

  <Step title="Save your backup codes">
    After verification, Supadir shows you **8 backup codes**. These are single-use codes you can use instead of the authenticator app if you lose access to your phone.

    **Save them now.** They are shown only once. We recommend storing them in a password manager or printing them out and keeping them somewhere safe.
  </Step>
</Steps>

<Warning>
  If you lose your phone and don't have backup codes, you will be locked out of your account. Contact Supadir support to regain access.
</Warning>

## Logging in with 2FA enabled

After enabling 2FA, every login requires:

1. Your email and password (as usual)
2. A 6-digit code from your authenticator app

The code changes every 30 seconds. Enter it within that window. If it expires while you're typing, just use the next one.

## Using a backup code

On the login screen, instead of entering a 6-digit code, click **Use a backup code** and enter one of your saved codes. Each code can only be used once.

<Tip>
  After using a backup code, go to **Settings → Security** to check how many backup codes you have left. You can generate a fresh set by disabling and re-enabling 2FA.
</Tip>

## Disabling 2FA

Go to **Settings → Security** and click **Disable two-factor authentication**. You'll be asked to confirm with a current TOTP code before it's turned off.

<Warning>
  We strongly recommend keeping 2FA enabled at all times. Your admin account has full control over your catalog, including billing and listing data.
</Warning>
