Two-factor authentication

Adds a second layer of security to your account: after your password, KPImailer asks for a time-based code from an authenticator app before letting you in.

Permissions

Two-factor authentication (2FA) is a personal account setting - you turn it on for your own login, not for other users.

Before you start

Install an authenticator app on your phone if you don’t already have one (Google Authenticator, Microsoft Authenticator, and Authy all work, since KPImailer uses the standard TOTP code format).

Steps

1. Open the user menu in the top right and select Settings, then the Security tab.
2. Under Two-Factor Authentication, the panel shows whether 2FA is Enabled or Disabled for your account. Select Enable 2FA.
3. Scan the QR code KPImailer shows you with your authenticator app. If you can’t scan it, use the manual setup key the screen also provides.
4. Enter the 6-digit code your app is currently showing to confirm the pairing worked.
5. Save the backup codes KPImailer gives you somewhere safe. Each one lets you sign in once if you lose access to your authenticator app.

From then on, signing in asks for your password as usual, followed by the current code from your authenticator app.

Caution

Without a saved backup code, losing your phone means losing access to your account until an administrator resets 2FA for you from Settings → Users. Save the backup codes before you close the setup screen - they aren’t shown again.

Turning it off

Go back to Settings → Security and select Disable 2FA. You’ll need to confirm with your password or a current code, then sign-in reverts to password only.

Worked example

Before traveling, a user enables 2FA on their account, scans the QR code with the authenticator app already on their phone, confirms with the 6-digit code, and saves the backup codes to their password manager. The next time they sign in from a new laptop, they enter their password as usual and are then prompted for the current code from the app.