Two-Factor Authentication
Add a second verification step to your MemberPass sign-in using Google Authenticator or any TOTP-compatible app.
By the end of this page, you'll have two-factor authentication (2FA) turned on — and you'll know exactly what to do if you ever lose your authenticator device.
Two-factor authentication means that after your password, you'll be asked for a six-digit code that only your phone can generate. Even if someone stole your password, they couldn't sign in without your device.
We strongly recommend every creator enables either 2FA or a passkey. Losing control of your account means losing access to your subscribers and your revenue.
What you need
- A smartphone or tablet with a TOTP-compatible authenticator app installed. Any of these work:
- Google Authenticator (iOS, Android)
- Microsoft Authenticator
- Authy
- 1Password, Bitwarden, or other password managers that generate TOTP codes
- Access to your MemberPass account on a computer or second device so you can scan the QR code.
Turn on 2FA
Open Security Settings.
From the account menu, go to Settings → Security (URL: /settings/security). Scroll to the Two Factor Authentication (2FA) section.
Click Enable Two Factor Authentication.
A modal appears with a QR code and a manual setup key.
Scan the QR code with your authenticator app.
In Google Authenticator: tap + → Scan a QR code and point your camera at the screen. In most password managers, use the "Add TOTP" flow and scan the same code.
If you can't scan (for example, you only have one device), tap Manual entry and copy the setup key into your app by hand.
Enter the six-digit code your authenticator displays to confirm the setup. Codes rotate every 30 seconds, so if the current one expires before you type it, just wait for the next one.
Save your recovery codes.
MemberPass will now show eight recovery codes. See Recovery codes below for why they matter and where to keep them.
Done. Next time you sign in, you'll be taken to /two-factor after your password, where you'll enter a fresh code from your app.
Recovery codes
When you enable 2FA, MemberPass generates eight single-use recovery codes in the format XXXXXXXXXX-XXXXXXXXXX. Each one can be used once in place of an authenticator code.
They're your safety net if your phone is ever lost, wiped, or broken.
Storing them safely
Store these codes somewhere safe before closing the setup modal. They won't be shown again after you dismiss it. Best options: a password manager (1Password, Bitwarden, LastPass, etc.); a printed copy stored somewhere secure offline; or a secure note in iCloud Keychain or Google Password Manager.
Common questions about recovery codes
Signing in with 2FA
Every sign-in now has one extra step:
Enter your email and password as usual at /login.
You land on the Two-Factor Authentication page at /two-factor.
Open your authenticator app, find the entry for MemberPass, and type the 6-digit code into the Enter your authentication code field.
Alternatively, click "login using a recovery code" to enter one of your recovery codes instead.
Click Verify. You're in.
We rate-limit the 2FA challenge to 5 attempts per minute to prevent brute-force. If you miss a few codes in a row, wait a minute and try again — don't reach for a recovery code unless you genuinely can't get a fresh TOTP.
Turn off 2FA
If you need to disable 2FA (for example, to switch to a new authenticator app or move to passkeys):
Go to Settings → Security.
Scroll to the 2FA section and click the red Disable Two Factor Authentication button.
2FA is removed from your account immediately. Your existing recovery codes are invalidated.
Disabling 2FA makes your account easier to break into. Only do this if you have something equally strong replacing it — like a passkey — or if you're in the middle of migrating to a new device.
Common problems
Two-factor vs. passkeys
Both are strong forms of second-factor protection, but they work differently:
| Feature | 2FA (TOTP) | Passkey |
|---|---|---|
| Extra step at sign-in | Yes, every time | No — the passkey replaces the password entirely |
| Requires a phone | Yes | No (but devices help) |
| Offline? | Yes (codes generate without internet) | Yes |
| Recovery | 8 printable recovery codes | Multiple passkeys across devices |
| Susceptible to phishing? | Still possible with social engineering | No — passkeys are cryptographically bound to MemberPass |
Either is a big upgrade over a password alone. If you can only pick one and your devices are modern, passkeys are the simpler daily experience.