P4
Add a second factor
Enroll a TOTP authenticator (RFC 6238).
- 1
Set up TOTP and add the secret to your app.
The seed is generated server-side and stored AES-GCM-encrypted — the database never holds it in the clear.
- 2
Enter a 6-digit code to confirm enrollment.
Codes are HMAC-SHA1 over a 30-second step (RFC 6238); a used step is remembered so the same code can’t be replayed.
Do it
This one happens on your account page — register a passkey, revoke a session, or enroll TOTP there.
Go to your account →Learn the theory
🩻 X-ray — what actually happened
Your own insert-only audit trail — the real server events, sanitized (never a secret), each linked to the lesson that explains it.
Loading…