Enable Two-Factor Authentication
Add an extra layer of security to your Toolfy account with two-factor authentication (2FA). Even if someone steals your password, they can't log in without the second factor from your phone.
Why enable 2FA?
Protect customer data
Your Toolfy account contains sensitive customer information, payment records, and business data. 2FA prevents unauthorized access even if your password is compromised.
Prevent account takeovers
Password breaches happen. With 2FA enabled, attackers need both your password AND your phone to access your account—making takeovers nearly impossible.
Meet compliance requirements
Some industries require 2FA for systems that handle customer data. Enabling it keeps you compliant with GDPR, HIPAA, and similar regulations.
How to set up 2FA
Toolfy uses authenticator apps (Google Authenticator, Authy, 1Password, etc.) for 2FA. SMS-based 2FA is not supported for security reasons.
Install an authenticator app
Download one of these apps on your phone:
- • Google Authenticator (iOS / Android)
- • Authy (iOS / Android / Desktop)
- • 1Password (if you use their password manager)
- • Microsoft Authenticator (iOS / Android)
Go to Settings → Security
Find the "Two-factor authentication" section and click "Enable 2FA".
Scan the QR code
Toolfy displays a QR code. Open your authenticator app and scan it (usually via "Add account" or + button). The app adds Toolfy and starts generating 6-digit codes that refresh every 30 seconds.
Enter the verification code
Type the 6-digit code from your authenticator app into Toolfy to confirm the setup works. If it's correct, 2FA activates immediately.
Save recovery codes
Toolfy displays 10 recovery codes (one-time use). Download or print these and store them securely—you'll need them if you lose your phone. Each code works once to bypass 2FA.
Logging in with 2FA enabled
Standard login flow
- 1.Enter your email and password as usual
- 2.Toolfy prompts for your 2FA code
- 3.Open your authenticator app and copy the 6-digit Toolfy code
- 4.Enter the code and click "Verify"
- 5.You're logged in. This device stays trusted for 30 days (optional checkbox)
Trusted devices
Check "Trust this device for 30 days" when logging in to skip 2FA codes on that device for a month. Use this on personal computers only—never on shared or public computers.
Using recovery codes
When you need recovery codes
- • Lost or replaced your phone
- • Deleted authenticator app by accident
- • Phone battery dead and you need urgent access
- • Authenticator app stopped working or uninstalled
How to use a recovery code
- 1.Enter your email and password at login
- 2.Click "Use recovery code" below the 2FA prompt
- 3.Enter one of your 10 recovery codes
- 4.The code becomes invalid after use—cross it off your list
- 5.Go to Settings → Security and regenerate 2FA to get new recovery codes
Lost all recovery codes?
Email support@toolfy.io from your account email address with proof of identity (business name, recent invoice number, last payment method). We manually verify and disable 2FA so you can log in and set it up again.
Reset or disable 2FA
Reset 2FA (new phone or app)
- 1.Log in using a recovery code or trusted device
- 2.Go to Settings → Security
- 3.Click "Regenerate 2FA"
- 4.Scan the new QR code with your new phone/app
- 5.Save the new recovery codes—old ones stop working
Disable 2FA completely
Go to Settings → Security and click "Disable 2FA". Enter your current password to confirm. This removes the second factor requirement, so future logins only ask for email + password.
Not recommended: Disabling 2FA significantly reduces account security.
2FA for team members
Individual choice
Each team member enables 2FA independently on their own account. There's no organization-wide toggle—everyone controls their own security settings.
Enforce 2FA for all team members (coming soon)
Organization owners will soon be able to require 2FA for all team members. When enabled, users without 2FA must set it up at next login. This feature is on the roadmap for Q1 2025.
Common questions
Why not SMS-based 2FA?
SMS 2FA is vulnerable to SIM-swapping attacks, where an attacker convinces your mobile carrier to transfer your number to their SIM card. Authenticator apps are more secure because they're device-specific and can't be hijacked remotely.
What if I change phones?
Before wiping your old phone, either transfer your authenticator app to the new phone (most apps support this via cloud backup or QR code export) OR use a recovery code to log into Toolfy and regenerate 2FA with the new device.
Can I use hardware keys (YubiKey, etc.)?
Not yet. Toolfy currently supports TOTP authenticator apps only. Hardware security key support (FIDO2/WebAuthn) is on the roadmap for enterprise customers.
Does 2FA slow down login?
It adds about 10 seconds to the login process. Enable "Trust this device for 30 days" on your primary work computer to skip 2FA codes for a month at a time.
What happens if I enter the wrong code 5 times?
Toolfy locks 2FA verification for 15 minutes to prevent brute-force attacks. Wait 15 minutes and try again, or use a recovery code to bypass the lockout.
Related articles
- Manage Active Sessions - See where you're logged in
- Reset Your Password - Change account password
- Delete Your Account - Permanently remove account