Home Organization & Settings Two-Factor Authentication

Two-Factor Authentication

Last updated on May 03, 2026

What 2FA is

Two-factor authentication (2FA) is a second step at sign-in. After your password, BitBooks asks for a code from a separate device (your phone, usually).

The point: even if someone learns your password (phishing, leak, breach at another service where you reused it), they still can't sign in without your phone.

For accounting books that contain financial data and Bitcoin wallet credentials, 2FA is a smart investment.

How to set it up

  1. Click your avatar in the sidebar (bottom-left)
  2. Click Profile (or Account Settings)
  3. Find the Security or Two-Factor Authentication section
  4. Click Enable

Profile page with the Security section visible and the Enable 2FA button highlighted

You'll choose a method:

Authenticator app (recommended)

Use an app like:

  • Authy (free, multi-device sync)
  • Google Authenticator (free, simple)
  • 1Password (built into the password manager)
  • Bitwarden (built in)
  • Aegis or Raivo (open-source, mobile)

The setup flow:

  1. BitBooks shows a QR code
  2. Open your authenticator app
  3. Tap "Add account" (or scan a QR code)
  4. Scan the BitBooks QR code with the app
  5. The app shows a 6-digit code that changes every 30 seconds
  6. Type that code into BitBooks to confirm
  7. 2FA is enabled

2FA setup screen with QR code visible and a confirmation field for the first code

SMS (less secure but available)

If you can't use an authenticator app, BitBooks can send a code by text message:

  1. Pick SMS as the method
  2. Enter your phone number
  3. BitBooks sends a test code
  4. Enter it to confirm

SMS is less secure than authenticator apps because:

  • SMS can be intercepted via SIM-swap attacks
  • SMS depends on cellular network availability

Use SMS only if you can't run an authenticator app. Authenticator apps are strongly preferred.

What 2FA looks like at sign-in

After 2FA is enabled, sign-in becomes a two-step:

  1. Enter your email and password (same as before)
  2. BitBooks shows a 2FA prompt
  3. Open your authenticator app, get the current 6-digit code
  4. Enter the code in BitBooks
  5. You're in

The code changes every 30 seconds. Make sure your phone's clock is accurate; an off-by-a-minute clock will reject codes.

Recovery codes

When you set up 2FA, BitBooks should give you recovery codes. These are one-time-use codes that work in case you lose your authenticator (phone broken, app deleted, SIM swapped).

Save them somewhere safe. Options:

  • Your password manager (best)
  • Printed and stored in a safe place
  • An encrypted note

If you lose both your authenticator AND your recovery codes, you'd need to contact support to disable 2FA on your account. We'd verify your identity through other channels before doing so.

Required by your organization

Owners can require 2FA for everyone in the organization. If this is set, every member must enable 2FA before they can use BitBooks.

The setting is in Admin → Settings under Security (when shipped). Today, 2FA is per-user opt-in.

For sensitive organizations (Bitcoin treasuries, multi-million-dollar books), enabling org-wide 2FA is strongly recommended.

What 2FA does NOT protect against

  • A compromised device. If your phone is stolen and unlocked, the attacker has both the password (in your password manager) and the 2FA app. Lock your phone and use device-level security.
  • Phishing in real-time. A sophisticated phishing site can prompt for both password and 2FA, then forward to BitBooks. Hardware keys (FIDO2/WebAuthn) protect against this; standard 2FA does not.
  • Social engineering of support. If someone convinces support to disable your 2FA, they bypass the protection. Support has procedures to verify identity, but this is a risk.

For the highest security, use a hardware security key (when supported in BitBooks) plus 2FA.

Common questions

"What if my phone breaks and I don't have recovery codes?"

Contact support. We'll verify your identity through other channels (email, ID document, etc.) and disable 2FA so you can sign in. Then you can re-enable with a new device.

This process takes time (typically 24-48 hours), so prevention (saving recovery codes) is much better than recovery.

"Can I have multiple authenticator devices?"

If you use Authy, yes. Authy syncs across devices.

If you use Google Authenticator (no sync), you have one device. To switch, you'd disable 2FA, re-enable on the new device, and save the new QR code there.

1Password and Bitwarden both sync across devices.

"Is the 6-digit code different on every site?"

Yes. Each service generates its own. Your authenticator app holds many "accounts" (BitBooks, Gmail, Twitter, etc.) and shows a different rolling code for each.

"What if I'm temporarily without my phone?"

Use a recovery code (you saved them, right?). Each one is single-use.

Where to go next