Two-factor authentication
Turn on a 6-digit code at sign-in, with backup codes if you lose your phone.
Go to the live page Manage two-factor authenticationTwo-factor authentication (2FA, sometimes called MFA) puts a second lock on your account. After you type your password, Vilvik also asks for a fresh 6-digit code from an app on your phone. Without that code, your password alone is not enough.
You do not have to use 2FA. It is fully optional. Most people turn it on once and forget about it; the app does the work each time you sign in.
What you need¶
Any standard authenticator app on your phone or in your password manager. Some examples that work:
- Google Authenticator
- Microsoft Authenticator
- Authy
- 1Password
- Bitwarden
- iCloud Keychain (Verification Codes)
They all generate the same kind of 6-digit code, so it is fine to use whichever you already trust.
Turning it on¶
- Open your profile page and switch to the Security tab.
- Press Enable two-factor authentication.
- A QR code appears. Open your authenticator app and scan it. (If you cannot scan, the app also lets you type the long code shown below the picture.)
- The app starts showing a fresh 6-digit code every 30 seconds. Type the current code into the box on Vilvik and press Confirm and turn on.
- Vilvik shows you 10 backup codes. Save these before closing the window. There is a Download as text file button for that.
Once you confirm, two-factor authentication is live on your account.
Vilvik emails you a confirmation whenever two-factor authentication is turned on or off, so you notice right away if anyone changes this setting without you. (This is just a heads-up message. It never contains a sign-in code.)
Signing in with 2FA¶
After you type your password (or sign in with GitHub or Google), Vilvik takes you to a small Two-factor authentication page. Type the 6-digit code from your app and press Verify and sign in. That is all.
The page accepts:
- The current 6-digit code shown in your authenticator app.
- One of your 8-character backup codes (each works once).
If you type the wrong code five times in fifteen minutes, the page locks for a few minutes. Wait and try again with a fresh code.
Backup codes¶
The 10 codes you saved during setup exist so you can still sign in if your phone is lost, broken, or wiped. Treat them like a spare key. Two rules:
- Each code works only once. As soon as you use a code to sign in, it cannot be used again.
- Keep them somewhere private. A password manager is ideal. A printed sheet locked away is fine too. Do not save them in a shared note or screenshot them to a public folder.
When you are running low, regenerate from the Security tab. Pressing Regenerate backup codes replaces the old set with 10 fresh codes; any old code stops working straight away.
If you lose your authenticator¶
Use one of your backup codes to sign in. Then go to the Security tab and either:
- Regenerate backup codes if you still have access to your authenticator app but the backup-code list is short, or
- Disable two-factor authentication and turn it back on fresh, which will pair Vilvik with whichever authenticator app you have now.
Out of backup codes too? Email us at the address shown on the help page and we will turn off 2FA on your account after we confirm who you are.
Turning it off¶
The Security tab has a Disable two-factor authentication button. We ask for a current 6-digit code (or a backup code) first so an attacker who only has your password cannot quietly switch the lock off. Once you confirm, the app stops asking for a code on future sign-ins, and we email you to confirm the change.
FAQ¶
Will Vilvik ever email or text my code? No. The code only lives inside your authenticator app. We never send it. If something asks you for your code over email or chat, it is not us.
Does 2FA cover GitHub and Google sign-in? Yes. Once 2FA is on, you have to enter the 6-digit code regardless of how you sign in.
Can I use it on two phones? Yes. Scan the same QR code (or type the same setup code) in each app during setup. Both will then generate the same rolling codes.
My code keeps being rejected. The 6-digit code rolls every 30 seconds. Check your phone's clock is correct (off-by-a-minute is the usual cause), then try the next code your app shows.