Two-Factor Authentication (2FA)
What 2FA is
2FA reduces account takeover risk by combining your password with a second verification step.
With 2FA enabled, you log in with your password and complete one additional verification step. ONERWAY currently supports authenticator app and email verification.
2FA can also serve as a backup verification method if your passkey is not available.
We recommend using an authenticator app whenever possible, because it provides stronger protection than email verification.
Set up 2FA
You can set up 2FA in either of these ways:
- From the Secure your account page after you log in
- From Personal profile in your account settings
If your team admin requires 2FA, you may be prompted to set it up the next time you log in.
Set up an authenticator app
You can use apps such as Google Authenticator, Microsoft Authenticator, or Authy.
To set up an authenticator app:
- Open your chosen authenticator app.
- Add a new account.
- Scan the QR code shown in ONERWAY.
- Enter the 6-digit code from your app.
- Select Continue to finish setup.
If you cannot scan the QR code, you can use the manual setup option and enter the secret key instead.
Set up email verification
To set up email verification:
- Select Send code and continue.
- Check your registered email address for the verification code.
- Enter the 6-digit code.
- Select Continue to finish setup.
Choose your 2FA method
Authenticator app (recommended)
An authenticator app generates one-time verification codes on your device.
Why we recommend it:
- It works offline
- It provides stronger protection against interception and phishing
- It does not depend on access to your email inbox
Email verification
Email verification may be easier to start because no additional app is required, but it provides less protection than an authenticator app.
We do not recommend using email verification as your primary 2FA method because:
- Email can be intercepted
- It does not provide strong protection against phishing attacks
- Email delivery may be delayed or unreliable in some cases
You should only use email verification if you cannot use an authenticator app.
Recovery codes
Recovery codes can help you regain access to your account if you cannot use your usual verification method, such as a passkey, authenticator app, or email verification.
Important:
- Each recovery code can only be used once
- Store them in a safe place
- Do not share them with anyone
After you use a recovery code
Recovery codes are for account recovery only.
If you use one, we recommend restoring your usual verification method as soon as possible. You may also want to update your recovery codes and store them in a safe place.
Manage your 2FA settings
You can manage your 2FA settings from Personal profile.
Depending on your setup, you can:
- Add another 2FA method
- Choose your default 2FA method
- Regenerate recovery codes
- Remove a 2FA method
If both authenticator app and email verification are enabled, you can choose which one appears by default when 2FA is required.
Log in with 2FA
If your account has 2FA enabled and you log in with your password, you will need to complete an additional verification step before finishing login.
Depending on your account setup, you may be asked to use:
- A code from your authenticator app
- A code sent to your email
- A passkey to complete verification
- A recovery code, if needed
If you log in with a passkey directly, you may not need to complete a separate 2FA step.
If you lose access to your account
If you cannot use your usual verification method and do not have a recovery code available, you may need help restoring access to your account.
- If you are a team member, contact your team admin for help.
- If you are a team admin, contact your account manager to request an account reset.
For more information, see Managing team security.