Set up two-factor authentication

Enable 2FA on your account in 60 seconds. Authenticator apps, backup codes, and what to do when you lose your phone.

Last updated 2026-05-10

2FA is the single highest-leverage security setting in SellStein. Turn it on in 60 seconds.

Settings → Security → 2FA

Click Enable. Choose:

  • Authenticator app. Google Authenticator, Authy, 1Password, Bitwarden, Microsoft Authenticator. Default for most setups
  • Hardware key. YubiKey, Titan. Best security, requires the physical key for every login
  • SMS. Fallback only. Less secure than the others; vulnerable to SIM-swap attacks

App-based setup

The setup screen shows a QR code. Open your authenticator app, tap Add Account, scan the code. The app starts generating 6-digit codes that rotate every 30 seconds. Type the current code into the dashboard to confirm enrollment.

Backup codes

After enrolling you'll see 10 single-use backup codes. Store these somewhere safe (password manager, printed and put in a desk drawer, NOT in a Google Doc). Each code works exactly once and lets you bypass 2FA if you lose your phone.

You can regenerate codes at any time. Settings → Security → 2FA → Regenerate. Old codes become invalid the moment you regenerate.

When you lose your phone

Three options, in priority: 1. Use a backup code to log in, then re-enroll with the new phone 2. Log in from a device that already has an active session, then re-enroll 3. Account recovery. Settings → Security → Recovery → trigger account recovery. We require email confirmation, government ID upload, and a 24-hour cooldown before resetting 2FA

The cooldown is annoying when it's you, but exists because account-takeover attacks bypass weaker resets.

Required for team members

Settings → Security → Require 2FA for all team members. Once enabled, anyone in your account who hasn't enrolled gets a 7-day grace period to set up 2FA, after which they can't log in. Strongly recommended for any team larger than two people.

Suspicious activity

We email you when:

  • A new device logs in
  • 2FA fails 3 times in a row
  • A backup code is used
  • 2FA is disabled
  • A password reset is requested

If any of these reach you and they're NOT you, change your password immediately and revoke all sessions (Settings → Security → Active sessions → Revoke all).

Hardware keys for high-value accounts

If you process more than $1M/year, use a hardware key. YubiKey 5 NFC is around $50, lasts forever, and is the only 2FA method immune to phishing. Settings → Security → 2FA → Add hardware key.

Related guides

Still need help?

Real humans, real answers. We respond fast and we never use chatbots as the front line.

Email Support