Multi-factor authentication

Adding a TOTP code to your sign-in flow is the single highest-impact security upgrade for accounts that aren't tied to a hardware wallet.

Why MFA matters

If you signed in with email or passkey (the embedded-wallet path), MFA is the second factor that protects everything an attacker could do with just your email — sign in, drain the embedded wallet, change notification destinations.

If you signed in with an external wallet (MetaMask, etc.), the wallet itself is your second factor for sensitive actions, but MFA still protects account-level changes (linked email, security settings, API keys).

Setting up MFA

Open Settings → Security.
Find the Multi-factor authentication section.
Click Enable. The UI shows a QR code and a secret string.
Open your authenticator app (Google Authenticator, 1Password, Authy, etc.) and add the QR code or paste the secret.
Enter the 6-digit code from the app to confirm.
Save the recovery codes the UI shows. You'll need one of these if you lose access to your authenticator. They're shown once and not retrievable later.

Using MFA

After it's enabled, you'll be asked for your 6-digit TOTP code on:

Sensitive account changes (linking/unlinking wallets, API key creation, withdrawal limit increases).
Sign-ins from new devices.

The code is valid for ~30 seconds; if it doesn't work, wait for the next rotation and try again.

Recovery codes

If you lose your authenticator, recovery codes are how you get back in. Each code is single-use. Use one, get prompted to enable a new authenticator, and the rest stay valid.

If you've used all your codes, open a support ticket — we can manually verify identity and reset MFA, but it takes time.

Disabling MFA

Open Settings → Security → Multi-factor authentication → Disable. You'll be asked to confirm with your current TOTP code.

We don't recommend disabling — leave it on once it's set up. Disabling takes effect after a 24-hour delay so a stolen session can't quietly turn it off.

Common stumbles

Code rejected, but the time looks right — your phone clock might be off by more than 30 seconds. Sync time-of-day in the OS.
Lost authenticator and recovery codes — open a support ticket. Identity verification is required.

Why MFA matters

Setting up MFA

Open Settings → Security.

Find the Multi-factor authentication section.

Click Enable. The UI shows a QR code and a secret string.

Open your authenticator app (Google Authenticator, 1Password, Authy, etc.) and add the QR code or paste the secret.

Enter the 6-digit code from the app to confirm.

Save the recovery codes the UI shows. You'll need one of these if you lose access to your authenticator. They're shown once and not retrievable later.