Two-Factor Authentication (2FA)

Why Use 2FA?

Your master password is strong, but no single factor is invulnerable. Phishing, keyloggers, and credential stuffing attacks can all compromise a password. 2FA mitigates these threats by requiring something you know (your password) and something you have (your authenticator device). Key benefits:

• Phishing resistance — a stolen password alone is not enough to log in.
• Credential stuffing protection — even if your password appears in a data breach, 2FA blocks unauthorised access.
• Compliance — many security frameworks (SOC 2, ISO 27001) require multi-factor authentication.
• Peace of mind — an additional safeguard for your most sensitive data.

Setting Up TOTP

TOTP (Time-Based One-Time Password) generates a six-digit code that changes every 30 seconds. Here is how to set it up:

1. 1

   Navigate to settings

   Go to Settings → Security → Two-Factor Authentication.
2. 2

   Enable 2FA

   Click Enable 2FA.
3. 3

   Confirm identity

   Enter your master password to confirm your identity.
4. 4

   Scan QR code

   Scan the QR code with your authenticator app, or manually enter the setup key.
5. 5

   Verify code

   Enter the six-digit code from your authenticator to verify the setup.
6. 6

   Save backup codes

   Save the backup codes displayed on the next screen (see below).

otpauth://totp/CloudKeep:you@example.com?secret=JBSWY3DPEHPK3PXP&issuer=CloudKeep

Your actual secret will be unique.

From this point forward, every login requires both your master password and a six-digit code from your authenticator.

Backup Codes

When you enable 2FA, CloudKeep generates a set of 10 single-use backup codes. Each code can be used exactly once in place of a TOTP code if you lose access to your authenticator device.

• Store backup codes in a separate, secure location (not in CloudKeep itself).
• Each code is invalidated after use — once all 10 are consumed, you must generate a new set.
• You can regenerate backup codes at any time from Settings → Security → 2FA → Regenerate Codes. Regenerating invalidates all previously issued codes.

a1b2c3d4  e5f6g7h8  i9j0k1l2  m3n4o5p6  q7r8s9t0
u1v2w3x4  y5z6a7b8  c9d0e1f2  g3h4i5j6  k7l8m9n0

Your actual codes will be unique.

Trusted Devices

To avoid entering a TOTP code every time you log in from the same device, you can mark a device as trusted during login by checking "Trust this device for 30 days". Trusted devices skip the 2FA prompt until the trust period expires.

You can manage trusted devices from Settings → Security → Trusted Devices:

• View all devices that are currently trusted (name, browser, last used).
• Revoke trust from individual devices.
• Click Revoke All to require 2FA on every device immediately.

Disabling 2FA

If you need to disable two-factor authentication:

1. Go to Settings → Security → Two-Factor Authentication.
2. Click Disable 2FA.
3. Enter your master password and a current TOTP code (or backup code) to confirm.

Disabling 2FA removes the second factor immediately. If your organisation enforces mandatory 2FA, you will not be able to disable it until the policy is changed by an admin.

Recommended Authenticator Apps

Any app that supports the TOTP standard (RFC 6238) works with CloudKeep. Here are some popular options:

Related Documentation

• Master Password — your first factor of authentication
• Account Recovery — regaining access if you lose your authenticator
• Teams — enforcing 2FA across your organisation