2FA Frequently Asked Questions

Two-factor authentication adds an extra layer of security to your accounts. After entering your password, you must also provide a second factor — typically a 6-digit code generated by an authenticator app. Even if someone steals your password, they cannot log in without the second factor.

TOTP (Time-based One-Time Password) is the algorithm behind most authenticator apps. Defined in RFC 6238, it combines a shared secret key with the current time to generate a 6-digit code that changes every 30 seconds. Both your authenticator app and the service generate the same code independently — no internet connection is needed.

TOTP generates codes based on the current time (every 30 seconds), while HOTP (HMAC-based One-Time Password) generates codes based on a counter that increments with each use. TOTP is more common because it doesn't require syncing a counter between devices. Most authenticator apps use TOTP.

Yes. SMS-based 2FA is vulnerable to SIM swapping attacks, where an attacker convinces your phone carrier to transfer your number to their SIM card. Authenticator apps generate codes locally on your device and don't rely on the phone network, making them significantly more secure.

The secret key (also called a seed or shared secret) is a Base32-encoded string that both you and the service share. It's typically shown as a QR code or text string when you first enable 2FA. This key is used together with the current time to generate your 6-digit codes. Keep it safe — anyone with your secret key can generate valid codes.

Most services have 2FA settings under Security or Account Settings. Look for "Two-factor authentication", "2-step verification", or "Login verification". The service will show you a QR code — scan it with an authenticator app to start generating codes.

Go to GitHub Settings → Password and authentication → Enable two-factor authentication. Choose "Set up using an app", scan the QR code with 2FAA or any authenticator app, enter the generated code to verify, and save your backup codes.

Go to Google Account → Security → 2-Step Verification → Get started. Choose "Authenticator app", scan the QR code, enter the verification code, and confirm. Google also offers backup codes and security key options.

Go to AWS IAM Console → Security credentials → Multi-factor authentication → Assign MFA device. Choose "Authenticator app", scan the QR code, and enter two consecutive codes to verify. AWS requires MFA for root account access.

Go to Discord User Settings → My Account → Enable Two-Factor Auth. Scan the QR code with your authenticator app and enter the 6-digit code. Discord will also show you backup codes — save them somewhere safe.

Yes. When you first set up 2FA, you can scan the same QR code on multiple devices. All devices will generate the same codes. Alternatively, you can save the secret key and add it to another device later. Tools like 2FAA let you export and import your secrets.

Backup codes are one-time-use codes provided when you enable 2FA. They let you log in if you lose access to your authenticator app (lost phone, reset device, etc.). Always save them in a secure location — without them and your authenticator, you could be permanently locked out of your account.

Use your backup codes to log in. If you don't have backup codes, contact the service's support team with identity verification. Some services let you disable 2FA via a recovery email. To prevent this in the future, use 2FAA to manage your secrets in the browser, save backup codes, and export your secrets to a backup file.

The most common cause is incorrect time on your device. TOTP codes depend on accurate time — even a 30-second drift can cause codes to be rejected. Check that your device's clock is set to automatic/network time. Also verify you're using the correct secret for the right account.

In Google Authenticator, tap the menu (⋯) → Transfer accounts → Export accounts. This generates a QR code containing all your secrets. Scan it on your new phone with Google Authenticator, or use 2FAA's import tool to migrate to a web-based authenticator.

No. If you delete a secret from your authenticator and don't have the original QR code, secret key, or a backup, the secret is gone. You'll need to use backup codes to access the account and re-enable 2FA to get a new secret. This is why exporting your secrets as a backup is important.

Yes, if the tool runs entirely in your browser without sending data to any server. 2FAA generates all TOTP codes client-side using JavaScript. Your secret keys are stored in your browser's local storage and never transmitted. You can verify this by checking the network tab in your browser's developer tools.

It's convenient but creates a single point of failure. If you lose access to that one app, you lose access to everything. Consider using backup codes, exporting secrets to a secure backup, or spreading across two authenticator methods. 2FAA's export feature makes it easy to keep an encrypted backup.

While not impossible, it's very difficult. Real-time phishing attacks can intercept codes, but the attacker must use them within the 30-second window. The most practical risk is social engineering (tricking you into giving the code) or malware on your device. 2FA with an authenticator app remains one of the best defenses against account takeover.

TOTP codes are generated locally — they don't require the service to be online. Your authenticator app and the service both calculate the same code independently using the shared secret and current time. As long as your device clock is correct, your codes will work regardless of internet connectivity.

2FAA is a free, open-source suite of 2FA tools. It includes a web-based TOTP authenticator, a Google Authenticator import tool, a Chrome browser extension for auto-fill, and an MCP server for AI agents. Everything runs locally in your browser.

No. All secrets are stored in your browser's local storage (or chrome.storage.local for the extension). Nothing is sent to any server. There is no account system, no analytics in the tools, and no tracking of your 2FA data.

Yes. 2FAA works as a Progressive Web App (PWA). Once you've visited the site, you can install it on your device and use it completely offline. TOTP code generation doesn't require an internet connection.

Use the Import tool. Export your accounts from Google Authenticator (menu → Transfer accounts → Export), then scan or upload the QR code on 2FAA. All your accounts will be imported instantly.