# Two-Factor Authentication (/docs/team/two-factor-auth) Two-factor authentication (2FA) adds a second layer of protection on top of your password. Even if someone steals or guesses your password, they cannot sign in to your account without also having access to your phone (or one of your saved recovery codes). Because Resytech accounts can move real money -- payouts, refunds, payment settings -- we strongly recommend that every team member enables 2FA. How it works [#how-it-works] When 2FA is enabled, signing in becomes a two-step process: 1. **Step 1 -- Password.** You enter your email and password as usual. 2. **Step 2 -- Verification code.** Resytech sends a 6-digit code to your verified mobile phone via SMS. You enter that code to finish signing in. If anything goes wrong with step 2 -- you do not have your phone, you did not get the SMS, the code expired -- you can use one of your **recovery codes** instead. See [Recovery codes](#recovery-codes) below. Enabling 2FA [#enabling-2fa] You enable 2FA from your profile page. Resytech walks you through a three-step wizard: 1. **Phone number** -- Enter the mobile number you want codes sent to, and confirm your password. 2. **Verify** -- Enter the 6-digit code Resytech texts you. This step proves you actually own the phone number you typed in. 3. **Save recovery codes** -- Resytech generates ten one-time recovery codes and shows them to you exactly once. Save them somewhere safe. After step 3 your account is protected. You will be asked for a verification code the next time you sign in. For step-by-step instructions, see [Enable Two-Factor Authentication](/how-to/team/enable-two-factor-authentication). What kind of phone numbers work [#what-kind-of-phone-numbers-work] Today Resytech only supports **US mobile numbers**. The number must be in E.164 format -- a `+1` country code followed by ten digits, like `+14155551234`. You can type the number with spaces, dashes, or parentheses; Resytech will normalize it. Landlines and VoIP numbers may not receive SMS reliably. If your mobile carrier blocks short-code SMS, you may not get codes -- contact your carrier or use one of your recovery codes. Codes are sent from Resytech, not your business's Twilio account [#codes-are-sent-from-resytech-not-your-businesss-twilio-account] If your company has connected its own Twilio account for booking notifications, **2FA codes do not use it**. Security messages always come from the main Resytech number. This is intentional: security flows should not depend on tenant-specific configuration that could be misconfigured or accidentally disconnected. Recovery codes [#recovery-codes] Recovery codes are your safety net for the day you lose your phone. When you enroll in 2FA, Resytech generates ten codes that look like `abcd-efgh`. Each code can be used **once** to sign in instead of an SMS verification code. Recovery codes are shown to you **exactly once**, immediately after you finish enrollment. Resytech never displays them again. Save them somewhere safe: * A password manager (1Password, Bitwarden, etc.) * A printed copy in a locked drawer * A `.txt` file on an encrypted disk Resytech provides **Copy all** and **Download .txt** buttons on the recovery codes screen to make this easy. You must check the "I have saved these recovery codes" box before you can dismiss the screen. Using a recovery code [#using-a-recovery-code] If you ever lose access to your phone: 1. Sign in with your password as usual. 2. When the verification code screen appears, click **Use a recovery code instead**. 3. Type or paste one of your saved codes. 4. Sign in. The code is now permanently used and cannot be reused. See [Recover Account Access](/how-to/team/recover-account-access) for the full walkthrough. Running out of codes [#running-out-of-codes] The profile page shows how many recovery codes you have left. When you are down to three or fewer, Resytech displays an amber warning prompting you to regenerate. You can regenerate at any time from **Profile > Security > Regenerate recovery codes**. Regenerating produces a fresh batch of ten codes and **immediately invalidates the old set** -- including any old codes you have saved in a password manager. Make sure to save the new ones in the same place as the old ones. Regeneration requires both your current password and a fresh SMS code, so a stolen session alone is not enough to invalidate your codes. Trusted devices [#trusted-devices] Re-entering an SMS code on every sign-in gets old fast. To avoid this, Resytech offers a "Trust this device for 30 days" checkbox on the verification step. When you check it: * Resytech issues a long-lived browser cookie to the device you are signing in from. * The next time you sign in from that same browser, Resytech recognizes the cookie and skips the verification code step. * The trust expires after **30 days**, after which you will be asked for a code again. Listing and revoking trusted devices [#listing-and-revoking-trusted-devices] Visit **Profile > Security > Trusted Devices** to see every device that is currently trusted on your account. Each entry shows: * **Device name** -- parsed from the browser, e.g. "Chrome on Windows" or "Safari on iPhone" * **Last used** date * **Expires** date * **IP address** the device was last seen from * A **"This device" badge** marking the browser you are currently using You can revoke any trusted device individually, or revoke all of them at once. A revoked device will be required to complete 2FA again on its next sign-in. When you should revoke [#when-you-should-revoke] Revoke a trusted device if: * You lost a laptop or phone * You used a friend's computer to sign in * You suspect anyone else has accessed your account * You see a device or location in the list you do not recognize Disabling 2FA also automatically revokes every trusted device, since the protection no longer applies. Disabling 2FA [#disabling-2fa] You can turn 2FA off from **Profile > Security > Disable 2FA**. To prevent an attacker with a stolen session from quietly disabling your protection, the disable flow requires both: 1. Your **current password**, and 2. **Either** a fresh SMS verification code **or** one of your recovery codes. Once disabled: * Your verified phone number is removed from your account * All your recovery codes are deleted * All your trusted devices are revoked * Your next sign-in will not ask for a verification code You can re-enable 2FA at any time, which generates a fresh batch of recovery codes. Changing your phone number [#changing-your-phone-number] To change the phone number 2FA codes are sent to, you must **disable 2FA first, then re-enroll** with the new number. Resytech does not let you swap phone numbers in place. This is a deliberate security choice -- it forces you to prove you still control the *current* phone before changing it, preventing an attacker with session access from silently moving your 2FA to a phone they control. Limits and rate limiting [#limits-and-rate-limiting] To protect both your account and Resytech's SMS budget, several limits apply: | Limit | Value | | ------------------------------------------------ | ------------------------------------------------------------------- | | **Code length** | 6 digits | | **Code expiry** | 10 minutes | | **Wrong-code attempts per code** | 5 (then the code is permanently burned) | | **SMS messages per user per 24 hours** | 10 (across all 2FA flows -- login, enrollment, disable, regenerate) | | **Recovery code attempts per user per 24 hours** | 10 (failed attempts only -- successful ones reset the counter) | | **Resend cooldown** | 60 seconds between resend requests | | **Trusted device duration** | 30 days | | **Recovery codes per batch** | 10 | Hitting any of these limits returns a clear error message in the dashboard. If you genuinely cannot get a code through, use a recovery code instead. Security model summary [#security-model-summary] For the curious, a few notes about how Resytech protects your 2FA data: * **Verification codes** are stored as SHA-256 hashes with a per-row random salt. The plaintext code is never written to the database, never logged, and never visible to Resytech staff. * **Recovery codes** are stored as Argon2 hashes (the same algorithm we use for passwords). * **Trusted-device cookies** are 256 bits of cryptographic randomness, stored as SHA-256 in the database. A database leak does not let an attacker forge a trusted-device cookie. * **Login challenges** can only be referenced for a 10-minute window after they are issued. A stale challenge ID -- copied from a log file or browser history -- cannot be replayed indefinitely. * **Disable, regenerate, and enrollment changes** are all wrapped in database transactions. There is no failure mode where Resytech burns a recovery code but leaves your 2FA in an inconsistent state. * **Every enrollment, disable, and recovery event** is logged with the user, IP address, and browser, so a security review can reconstruct exactly who did what. What if you cannot recover your account at all? [#what-if-you-cannot-recover-your-account-at-all] If you have lost both your phone *and* all of your recovery codes, contact your Resytech administrator. They cannot read your codes or see your password, but they can disable 2FA on your account from the company user management screen so you can sign in with just your password and re-enroll. If you are the only administrator on your company and you have locked yourself out, contact Resytech support directly.