Two-Factor Authentication (2FA)

Two-factor authentication (2FA) adds an extra layer of security to your account. In addition to your password, you need a one-time code generated by an authenticator app on your phone. Even if someone knows your password, they cannot log in without access to your phone. This protects your account against: • Stolen passwords (e.g. through phishing or data breaches) • Unauthorised access to your CMS • Changes to your websites by unauthorised persons 2FA is based on the TOTP protocol (Time-based One-Time Password). This is the same standard used by banks and major technology companies.

Here's how to enable 2FA: 1. Go to Agency Settings → Security 2. Click "Enable 2FA" in the "Your 2FA" section 3. Enter your password for confirmation (re-authentication) 4. Scan the QR code with your authenticator app 5. Enter the 6-digit verification code shown in the app 6. Save your recovery codes in a secure location 7. Confirm that you have saved the codes After enabling, you will see a green shield icon next to your account. From now on, you will need your authenticator app for every login.

You need an authenticator app on your phone. Recommended apps: • Google Authenticator — free, available for iOS and Android • Microsoft Authenticator — free, with optional cloud backup • Authy — free, supports multiple devices and backup How to set up the app: 1. Download the app from the App Store or Google Play Store 2. Open the app and choose "Add account" or "+" 3. Choose "Scan QR code" 4. Point your camera at the QR code in the CMS 5. The app will now show a new 6-digit code every 30 seconds Manual entry (without QR code): 1. Choose "Manual entry" in the app 2. Enter your email address as the account name 3. Enter the secret key shown in the CMS 4. Choose "Time-based" (TOTP) as the type

After enabling 2FA, you receive 10 recovery codes. These codes are your emergency key if you don't have access to your authenticator app (e.g. if your phone is lost or broken). Important rules: • Each code can only be used once • Store the codes in a secure location (not on your phone!) • You can copy the codes to your clipboard or download them as a text file • When your codes are running low, generate new ones via Agency Settings → Security • Generating new codes invalidates the old ones Recommended storage methods: • Print the codes and keep them in a safe • Save them in a password manager (e.g. 1Password, Bitwarden) • Store them on a USB drive in a secure location

Daily login with 2FA works as follows: 1. Enter your email address and password (or log in with Google) 2. A screen appears: "Enter your verification code" 3. Open your authenticator app on your phone 4. Enter the 6-digit code shown in the app 5. You are logged in The code is valid for 30 seconds. If the code is about to expire (the timer is running out), wait for the next code. No access to your authenticator app? Click "Use a recovery code" and enter one of your saved recovery codes.

As an administrator, you can require 2FA for your team: 1. Go to Agency Settings → Security 2. Scroll to "Require two-factor authentication" 3. Toggle on for the roles that should require 2FA: • Team members • Editors 4. Set a grace period: 3, 7, 14 or 30 days 5. Click "Save" After activation: • Team members without 2FA will see a yellow warning banner with the deadline • After the grace period expires, they are required to set up 2FA before they can continue working • In the team overview at the bottom of the Security tab, you can see the 2FA status per user

As an administrator, you can reset a team member's 2FA, for example if their phone is lost: 1. Go to Agency Settings → Security 2. Scroll to the team overview at the bottom 3. Find the user in the table 4. Click "Reset 2FA" in the Action column 5. Confirm the reset in the popup After the reset: • The user's 2FA and recovery codes are deleted • The user can log in again without 2FA • If 2FA is required, the user gets a new grace period to set up 2FA again You can also reset 2FA via User Management: click the menu next to the user and choose "Reset 2FA".

What if I lose my phone? Use a recovery code to log in. Out of recovery codes? Ask your administrator to reset your 2FA. Can I switch authenticator apps? Yes. Disable 2FA via Agency Settings → Security, then enable it again. You will get a new QR code to scan with your new app. Does 2FA work with Google login? Yes. Even with Google login, a 2FA code is requested after Google authentication. Can I disable 2FA? Yes, if 2FA is not required by your administrator. Go to Agency Settings → Security and click "Disable 2FA". You must enter your password for confirmation. How many recovery codes do I have? You receive 10 codes when enabling 2FA. Each code can be used once. You can generate new codes at any time (the old ones become invalid). What happens when the grace period expires? You cannot use the CMS until you have set up 2FA. You will see a screen with the enrollment wizard.