Lock down your account: 2FA TOTP and backup codes

Your ai-supply.store account controls published listings, API keys, and provider revenue. Securing it with two-factor authentication (2FA) takes five minutes and is free. Here's how.

What kind of 2FA does ai-supply.store use?

The platform uses TOTP (Time-based One-Time Password) — the same standard used by Google Authenticator, Authy, 1Password, and Bitwarden. You'll need one of these apps (or any TOTP-compatible app) before you start.

There is no SMS fallback. SMS-based 2FA is vulnerable to SIM-swap attacks; TOTP is not.

Enabling 2FA

1. Go to /dashboard → Settings → Security.
2. Click Enable two-factor authentication.
3. A QR code appears. Open your authenticator app and scan it.
4. Enter the 6-digit code your app shows to confirm pairing.
5. Done — 2FA is now active on your account.

Saving your backup codes

Immediately after enabling 2FA, the platform shows you 8 one-time backup codes. These let you regain access if you lose your authenticator device.

Do this now:

• Copy all 8 codes.
• Save them in a password manager (1Password, Bitwarden, etc.) or print and store physically.
• Never store them in the same place as your TOTP secret.

Each backup code can only be used once. After use, it's invalidated. If you exhaust all backup codes, you'll need to contact support for account recovery.

What 2FA protects

With 2FA enabled:

• Login requires your password + TOTP code (or a backup code).
• API key creation is protected — an attacker with your password alone cannot mint new keys.
• Listing management actions in the dashboard require an active authenticated session.

Note: existing API keys continue to work without re-authenticating. If you suspect a key is compromised, revoke it from Settings → API Keys immediately.

Regenerating backup codes

If you've used most of your backup codes (or misplaced them), regenerate the set:

1. Settings → Security → Backup codes → Regenerate
2. Save the new set immediately — the old codes are invalidated.

Do this as a scheduled hygiene task every 12 months even if you haven't used any codes.

Disabling 2FA

You can disable 2FA from Settings → Security. This requires your current TOTP code (not a backup code). We strongly recommend keeping 2FA on — especially if you have active API keys or published listings.

Account security checklist

• 2FA enabled with TOTP
• Backup codes saved in a password manager
• API keys scoped to minimum necessary permissions
• Unused API keys revoked
• Strong, unique password (not reused from another service)
• Email address verified and monitored

For agent access hardening, see scoped, spend-capped agent sessions explained.