Two-factor authentication

Two-factor authentication (TOTP) adds an authenticator-app challenge on top of your normal dashboard sign-in.

Set up TOTP

1. Go to Dashboard -> Settings -> Profile.
2. Open the Two-factor authentication card.
3. Start setup, then scan the QR code with an authenticator app.
4. Enter the current 6-digit code from that app to finish enrollment.
5. Save the recovery codes before leaving the page.

Nimriz stores the TOTP factor in Supabase Auth. Nimriz stores only hashed recovery codes plus issuance metadata after the one-time display.

Recovery codes

• Recovery codes are single-use backup sign-in codes.
• You receive one set immediately after TOTP enrollment.
• Regenerating a new set invalidates every older unused code immediately.
• Recovery codes are shown only when they are generated or regenerated, so download them at that time.

Login challenge

After primary sign-in, users with TOTP enabled must complete a second-factor challenge before entering the dashboard when the session is still below aal2.

You can finish the challenge with either:

• the current code from your authenticator app
• one unused recovery code

Disable TOTP or regenerate recovery codes

Self-service factor changes require:

• your current password
• a valid authenticator-app code or one unused recovery code

That same security check protects both:

• recovery-code regeneration
• full TOTP disable

Lost your authenticator app

If you still have recovery codes, use one on the challenge screen to sign in and then regenerate the set or reconfigure TOTP from profile settings.

If you lost both:

• the authenticator app
• every valid recovery code

you need a support-admin reset. That reset removes the old factor, invalidates old recovery codes, and prompts you to set up a new factor the next time you access the dashboard.