Two Factor Auth

Two-factor authentication (2FA) adds a second verification step to your Statalog login. Even if someone obtains your password, they cannot access your account without also having your authentication device.

How it works

Statalog uses TOTP (Time-based One-Time Password), the same standard used by most major services. Every 30 seconds, your authenticator app generates a fresh 6-digit code. When you log in, you enter your password as normal, then enter the current 6-digit code from your app.

Any TOTP-compatible authenticator app works:

  • Google Authenticator (iOS / Android)
  • Authy (iOS / Android / desktop)
  • 1Password (built-in authenticator)
  • Bitwarden (built-in authenticator)
  • Microsoft Authenticator

Enabling 2FA

  1. Go to Account → Security.
  2. Click Enable Two-Factor Authentication.
  3. Open your authenticator app, tap the add button (usually a + icon), and choose Scan QR code.
  4. Scan the QR code displayed on screen.
  5. Your app will immediately show a 6-digit code. Enter it in the confirmation field to verify that setup is working correctly.
  6. Click Confirm and Enable.

2FA is now active. Every subsequent login will require a code from your authenticator app after the password step.

Backup codes

Immediately after enabling 2FA, Statalog generates 8 backup codes. Download them or copy them to a safe location — a password manager is ideal.

Each backup code can be used once in place of your authenticator app code. After a code is used, it is invalidated and cannot be reused. Use backup codes only if you have lost access to your authenticator app.

If you use all your backup codes, regenerate a new set from Account → Security → Regenerate Backup Codes while you still have 2FA access. New codes immediately invalidate the previous set.

Disabling 2FA

  1. Go to Account → Security.
  2. Click Disable Two-Factor Authentication.
  3. Enter a 6-digit code from your authenticator app to confirm.
  4. 2FA is disabled and backup codes are invalidated.

After disabling, log in with just your password as before.

FAQ

What if I lose my authenticator app or get a new phone? Use one of your backup codes to log in. After logging in, go to Account → Security and either re-enable 2FA with your new device (scan the new QR code) or temporarily disable and re-enable to get a fresh QR code. If you have no backup codes remaining, contact support — account recovery requires identity verification.

Can I use 2FA with team member accounts? Yes. Each team member configures 2FA on their own account independently. There is no account-wide enforcement setting currently — each person is responsible for their own security settings.

Are backup codes stored securely? Backup codes are hashed before storage, the same way passwords are. The plain-text codes are shown to you only once, at generation time. Statalog staff cannot retrieve them.