BluAuth
Sign in

Two-factor authentication

Two-factor authentication — 2FA for short — adds a second check on top of your password: a six-digit code from your phone, in addition to the password you already know. Even if someone steals your password, they can't sign in without your phone.

BluAuth uses TOTP (time-based one-time password) by default. That's the six-digit-code-from-an-app style of 2FA. Some tenants also allow SMS codes or hardware keys; more on those below.

Before you start

Have your phone nearby and an authenticator app ready to go. Any of these work well:

  • 1Password — integrates with your saved passwords, backs up to your 1Password account.
  • Authy — free, backs up to the cloud so you can recover if you lose your phone.
  • Google Authenticator — free, simple, now supports backups.
  • Microsoft Authenticator — free, good fit if your company already uses Microsoft 365.

Authy and 1Password are the easiest for most people because they survive phone loss. Google Authenticator without backups is the worst choice — if you lose your phone, you lose your 2FA.

Enrolling

  1. Sign in to BluAuth as normal.
  2. Click your avatar and choose Profile.
  3. Open the Security section.
  4. Click Enable two-factor authentication.
  5. BluAuth shows a QR code and a manual setup key.
  6. Open your authenticator app, tap Add account (or the equivalent), and scan the QR code. If you can't scan — for example, you're setting up on the same phone that shows the QR — tap enter manually in your app and type the setup key.
  7. Your app will immediately start generating six-digit codes for BluAuth.
  8. Type the current code into the BluAuth confirmation field and click Verify.

Once verified, 2FA is on.

Backup codes — do this now

Right after enrolling, BluAuth shows you a list of backup codes — usually 10 single-use codes. These are your lifeline if you ever lose your phone.

  • Save them in a password manager. 1Password, Bitwarden, and similar all have "secure note" fields. This is the easiest option.
  • Print a copy and put it somewhere safe. A drawer, a safe, a wallet — anywhere you can find it but a thief can't.
  • Don't save them in plain text on the same device you use for 2FA. If your phone is compromised or lost, both your 2FA and the backup codes are gone.

Each code works once. After you use one, cross it off the list.

If you run low on backup codes, go to Profile → Security and generate a new set. The old set stops working immediately.

Signing in with 2FA

After 2FA is on, sign-in has one extra step.

  1. Enter your email and password as normal.
  2. BluAuth asks for your six-digit code.
  3. Open your authenticator app, find your BluAuth entry, type the current code.
  4. You're in.

Codes rotate every 30 seconds. If one doesn't work, wait for the next one. Don't worry about typing fast — BluAuth accepts the previous code for a short grace period to cover slow typing.

Common problems

"Invalid code"

  • Is your phone's clock set to automatic network time? TOTP codes depend on synchronized time. A drift of 30 seconds or more breaks them. On iPhone: Settings → General → Date & Time → Set Automatically. On Android: Settings → System → Date & time → Set time automatically.
  • Are you looking at the right entry in the app? If you've added multiple BluAuth accounts (different tenants), the codes aren't interchangeable.
  • Did you barely miss the window? Wait for the next code and try again.
  • Is caps lock on? (Codes are digits, but some apps show them near letters that could trick you.)

I lost my phone but I have backup codes

  1. On the 2FA prompt, click Use a backup code instead.
  2. Type one of your unused backup codes.
  3. You're in.
  4. Immediately go to Profile → Security, disable 2FA, and re-enable it on your new phone.
  5. Save the new backup codes.

I lost my phone and I don't have backup codes

Contact your administrator. They can reset your 2FA. You'll set it up again from scratch the next time you sign in.

Depending on your tenant's policy, your admin may need to verify your identity first — a quick call, a message from a verified channel, or an in-person check. This is deliberate; it's exactly the moment an attacker might try to socially engineer their way in.

My authenticator app deleted my entry

Some apps lose entries when you reinstall them or switch phones without a backup. You're in the same boat as "I lost my phone without backup codes" — contact your admin for a reset.

I have the wrong date on my phone and can't sync

If your phone's clock is set manually and won't let you switch to automatic (common on older or jailbroken devices), you can usually fix the drift inside the authenticator app itself. In Google Authenticator: Settings → Time correction for codes → Sync now. Other apps have similar options.

SMS 2FA

By default, BluAuth uses TOTP codes only. SMS 2FA — where BluAuth texts you a code — is available only if your tenant has opted in.

SMS is less secure than TOTP. A motivated attacker can hijack a phone number through SIM-swap attacks, and the codes travel over networks your company doesn't control. Most enterprise tenants leave SMS disabled for that reason.

If SMS is available for your tenant, you'll see the option when enrolling. You can add a phone number under Profile → Security → SMS backup as well.

Hardware keys (WebAuthn)

Some tenants allow hardware security keys — YubiKey, Titan Key, and similar — as a 2FA method. If your tenant has WebAuthn enabled, you'll see a Register a security key option in Profile → Security.

Hardware keys are the strongest form of 2FA. They can't be phished, don't depend on clock accuracy, and don't care if you have signal. If your tenant supports them and you have one, use it.

Register at least two keys (a primary and a backup), and keep the backup somewhere other than where you keep the primary. Losing your only key is effectively the same as losing your phone with no backup codes.

Turning 2FA off

Go to Profile → Security → Disable two-factor authentication. You'll need to type your current password and a current 2FA code to confirm — BluAuth doesn't let anyone turn off 2FA without proving they already have both factors.

In some enterprise tenants, 2FA is required and you cannot turn it off yourself. If the Disable button is greyed out, that's why. To request an exception, contact your admin — but be aware that most admins won't approve it for security and compliance reasons.

What if my tenant requires 2FA?

Some admins require 2FA for all users. In that case:

  • You'll be prompted to set it up the first time you sign in, before you can do anything else.
  • You can't skip the setup — the app won't continue until it's done.
  • You can't disable 2FA later without admin approval.
  • If you lose access, you'll need your admin to reset it for you.

Plan ahead: save your backup codes somewhere you can actually find them.

Switching phones

When you get a new phone, moving 2FA across takes a few minutes. The exact steps depend on your authenticator app.

If you use 1Password or Authy (with cloud backup enabled)

  1. Install the app on the new phone and sign in with your account.
  2. Your 2FA entries sync automatically.
  3. Codes from the new phone work immediately.
  4. Nothing to do on BluAuth's side.

If you use Google Authenticator (with Google account sync enabled)

  1. Install Google Authenticator on the new phone.
  2. Sign in with the same Google account.
  3. Your entries sync across.

If your app doesn't back up

You'll need to re-enroll 2FA on the new phone before you retire the old one:

  1. On the old phone, open BluAuth, go to Profile → Security, and choose Move to a new device.
  2. Scan the new QR code with the app on your new phone.
  3. Verify a code from the new phone.
  4. The old phone's entry is automatically retired.

If you've already gotten rid of the old phone, you're in "lost my phone" territory. Use a backup code and re-enroll from scratch.

What if I'm suspicious someone else has my 2FA?

Unlike a password, 2FA codes can't be "stolen" at rest — they're generated on demand and only valid for 30 seconds. But the seed behind them (the QR code you scanned) is long-lived. If you think that seed may have been exposed — your phone was unlocked by someone else, your authenticator app's cloud backup was compromised, or you scanned the QR somewhere public — treat it as compromised.

  1. Sign in to BluAuth.
  2. Go to Profile → Security → Disable two-factor authentication.
  3. Re-enable it — a new QR code and new backup codes are generated.
  4. Change your password too, just to be safe.
  5. Check Active sessions and sign out of anything you don't recognize.

Common questions

Why doesn't BluAuth just email me a code?

Email-based codes are less secure than TOTP. If someone has access to your email, they have access to the codes — which defeats the point of a second factor. BluAuth uses TOTP so that a compromised password and a compromised email still aren't enough to sign in.

Can I use my phone's built-in authenticator?

Yes. iOS's built-in two-factor code generator (in Settings → Passwords) and the built-in authenticator on recent Android versions both work the same as a third-party app. Scan the QR code with whichever you prefer.

Will 2FA slow me down every time?

Only once per session, usually. After you enter the code at sign-in, you won't be asked again for the length of that session. Some tenants re-prompt periodically — see my session keeps expiring for the schedule.

Can I have 2FA on some accounts and not others?

Each BluAuth account has its own 2FA setting. If you have separate accounts for different tenants, you can enable 2FA on one without affecting the other — though most admins will require it on any account with real access.

Related