Set up two-factor authentication (2FA)
Enable 2FA via authenticator app at Settings → Personal → Security. Scan QR code, verify, save backup codes.
Written By Salvatore Sinigaglia
Last updated About 4 hours ago
Enable 2FA via authenticator app at Settings → Personal → Security. Scan QR code, verify, save backup codes.
Set up two-factor authentication (2FA)
Open Settings → Personal → Security → Enable 2FA. Scan the QR code with your authenticator app (Google Authenticator, Authy, 1Password, etc.), enter the 6-digit code, save the backup codes shown once. Strongly recommended for admin and owner roles.
Who is this for
Everyone — but especially admins, owners, and super_admins who hold billing and sensitive controls. 2FA is one of the cheapest, highest-impact security upgrades.
What 2FA gives you
A second factor at login means a stolen password alone can't compromise your account. Even if someone phishes your password, they'd need physical access to your authenticator app to log in. This is critical for:
- Owner accounts (billing access)
- Super admins (cross-org reach)
- Admins of production workspaces
- Anyone with API key creation rights
What you need
- A smartphone (or password manager) with an authenticator app that supports TOTP (Time-based One-Time Password):
- Google Authenticator (Android / iOS)
- Authy (multi-device, cloud sync)
- 1Password / Bitwarden / KeePass (integrated TOTP)
- Microsoft Authenticator
- Duo Mobile
- 2-3 minutes to set up
Alternative: email-based OTP (for users without an authenticator app — see below).
How to set up 2FA
Step 1: Open Security settings
Navigate to Settings → Personal → Security (URL: /settings/personal/security).
Step 2: Click Enable 2FA
The page shows your current security status. Click the Enable 2FA button.
Backend calls POST /api/v1/auth/2fa/setup and returns:
otpauth_url— the standardotpauth://URIqr_code— image (PNG) you scan in your appsecret— text fallback if you can't scan (paste manually into your app)
Step 3: Scan the QR code
Open your authenticator app:
- Google Authenticator: tap + → Scan QR code
- Authy: tap + → Scan QR code
- 1Password: open item → Add field → One-time password → camera icon
Point the camera at the QR code displayed on the Wevion page. The app adds a "Wevion" entry showing a rotating 6-digit code.
If you can't scan: copy the secret text from below the QR and paste it into your app's "Enter manually" option.
Step 4: Verify the code
Back in Wevion, enter the current 6-digit code from your app. Click Verify.
Backend calls POST /api/v1/auth/2fa/verify. On success, 2FA is enabled.
Step 5: Save backup codes (CRITICAL)
You'll see a list of 8 backup codes in the current implementation. Each is one-time use, for emergency access if you lose your authenticator (lost phone, app reset, etc.).
Save them now:
- Download as text file (button on the page)
- Print and store in a safe place
- Add to your password manager
- Email to yourself (less secure but better than nothing)
You will not see these codes again. Wevion stores hashed versions; we cannot retrieve them if you lose them.
Click I've saved them to finish.
Step 6: Test next login
Log out and log back in. After password, you'll see the 2FA prompt — enter the current 6-digit code from your app.
Email-based OTP alternative
If you don't have an authenticator app, you can use email-based OTP:
- Settings → Personal → Security → Enable email OTP instead of TOTP
- Backend:
POST /api/v1/auth/2fa/email-otpto request a code,POST /api/v1/auth/2fa/verify-email-otpto verify - On each login, after password, Wevion emails a 6-digit code (valid 5 minutes)
Trade-offs:
We strongly recommend TOTP. Email OTP is a fallback.
Using backup codes
If you lose your authenticator:
- At login, click Use a backup code below the 2FA prompt
- Enter one of your saved backup codes
- You're logged in
- Each code works once — Wevion marks it used
- Re-set up 2FA immediately on a new device (see Disable + Re-enable below)
Disable 2FA
If you need to disable (changing devices, etc.):
- Settings → Personal → Security → Disable 2FA
- Backend:
POST /api/v1/auth/2fa/disable - Confirm with current password + current 2FA code
- 2FA is disabled
Important: disabling drops your account back to password-only. Re-enable on the new device immediately if you're moving phones.
Re-enable after device change
If you got a new phone:
- Disable 2FA on your account using the current device (or a backup code)
- Enable 2FA on the new device (Step 1-5 above)
- You get fresh backup codes — save them
Authenticator apps like Authy sync across devices, so you don't need to re-enable just because of a phone upgrade — only when migrating between apps or after a full reset.
What you'll see in the UI
After 2FA is enabled:
- Settings → Personal → Security shows green badge "2FA enabled"
- Active sessions section shows current authenticated sessions
- Login history entries show
2fa_verified: truefor successful logins after enabling - At login: extra step prompting for code
What happens to API keys
API keys are separate from 2FA. Your API keys continue to work regardless. 2FA protects interactive login (browser, app); API keys protect M2M access via the x-api-key header. Both should be secure for full protection.
Enterprise SSO and 2FA
For enterprise plans, SSO (SAML / OIDC) — including delegating two-factor to your identity provider — is available on request as a dedicated configuration set up with Sales. It isn't a self-serve toggle in the app; contact Sales to enable it. Outside of that, everyday sign-in uses email/password or Google, and 2FA is managed in Wevion under Settings → Personal → Security.
Common issues
- QR code not scanning: too small / glare. Use the manual entry secret instead.
- Code rejected as "invalid": clock skew. Your phone's time must be accurate (within 30 seconds of server time). Enable auto-time-sync on the phone.
- Backup codes lost: regenerate by disabling + re-enabling 2FA (you'll need to authenticate first using current code or a remaining backup).
- Can't disable because no access to authenticator: contact support with verified identity (photo ID, account history) — support can reset 2FA after verification.
- Email OTP not arriving: check spam, whitelist
noreply@wevion.ai. - All backup codes used + no authenticator: contact support to reset.
Best practices
- Enable 2FA on all admin / owner / super_admin accounts
- Store backup codes offline (password manager works; sticky notes don't)
- Use Authy or 1Password for cross-device sync so you don't lose access on phone replacement
- Don't share TOTP codes — they're real-time auth
- Treat 2FA setup as a company policy, not optional, for production workspaces
FAQ
How do I enable 2FA in Wevion?
Go to Settings → Personal → Security → Enable 2FA. Scan the QR code with an authenticator app that supports TOTP (Google Authenticator, Authy, 1Password, and others), enter the current 6-digit code to verify, then save the backup codes shown once. 2FA is strongly recommended for admin and owner roles.
What if I lose my authenticator app?
Use one of the backup codes Wevion showed when you enabled 2FA. At login, click "Use a backup code," enter a saved code (each works once), and you're in. Then re-set up 2FA on a new device. If all codes are used and you have no authenticator, contact support to reset.
Can I use 2FA without an authenticator app?
Yes. Wevion offers email-based OTP as a fallback: enable it at Settings → Personal → Security, and after your password each login Wevion emails a 6-digit code valid for 5 minutes. TOTP via an authenticator app is more secure and works offline, so Wevion recommends TOTP over email OTP.
Does enabling 2FA affect my API keys?
No. API keys are separate from 2FA and continue to work regardless. In Wevion, 2FA protects interactive login in the browser or app, while API keys protect machine-to-machine access via the x-api-key header. For full protection, keep both secure.