Home Devices What is two-step authentication (2FA)?

What is two-step authentication (2FA)?

Last updated on Apr 14, 2026

Two-step authentication (2FA) or two-factor authentication adds an extra layer of security to your Atoa account.

Along with your password, you'll need a one-time code each time you log in, either from an authenticator app or sent to your phone via SMS. This helps protect your account and your payments, even if someone else knows your password.

Who needs 2FA?

  • Account owners and admins: 2FA is mandatory and cannot be turned off

  • Supervisors, cashiers, and custom roles: 2FA is not required. These users log in using a one-time code (OTP) sent to their email or phone each time

How to set up 2FA?

You’ll be prompted to set this up when you log in.

  • If you’re an existing user, you may see a prompt asking you to log out and create a password first

  • Create a strong password to protect your account

  • Once done, you’ll be guided through setting up 2FA

You can also set it up anytime from Security And Control in your account settings.

How does 2FA work?

When setting up 2FA, you can choose between two methods:

Option 1: Authenticator App (recommended)

  • Download an authenticator app (such as Google Authenticator, Authy, or Microsoft Authenticator)

  • Scan the QR code shown on screen, or copy the code below it and paste it manually into the app

  • Your app will generate a 6-digit code. Enter this and click Next

  • Once confirmed, 2FA will be enabled for your account

Option 2: SMS

  • Enter your phone number (with country code) if you haven't already

  • A 6-digit code will be sent to your phone via text message

  • Enter the code and click Next

  • If you didn't receive it, wait 60 seconds and tap Resend Code

Save your backup codes

Once you enable 2FA, you'll receive 10 backup verification codes. These are important.

  • Use them if you lose access to your phone or authenticator app

  • Without them, you'll need to contact support to recover your account

Tap Download or Copy to save them, and store them somewhere safe and separate from your phone.

Session timeout and trusted devices

If you're an owner or admin and haven't set up 2FA yet, you'll be automatically logged out after 60 hours and prompted to complete 2FA setup before you can continue.

For supervisors, cashiers, and custom roles, sessions also expire after 60 hours, after which you'll need to log in again using your OTP.

Once 2FA is set up, owners and admins can tick "Remember this device for 30 days" when logging in. This means you won't be asked for a 2FA code on future logins from the same browser or device for 30 days.

What happens next?

Once 2FA is enabled:

  • You'll log in using your password + a 6-digit code from your authenticator app or via SMS

  • You'll need to enter a fresh code each time you log in (unless you've saved a trusted device)

How to switch your 2FA method?

If you're an employee, you can switch between SMS (OTP) and an authenticator app at any time. Go to Security And Control → Two-step verification → Manage → Change method and select your preferred method.

What if I lose access to my authenticator app?

If you've lost your phone or switched to a new one, you can still get back in.

Use a backup code on the 2FA screen during login, tap "Use a backup code" or "Can't access your code?" and enter one of your saved 8-character backup codes.

Once you're in, go to Security And Control → Two-Step Verification → Manage to set up 2FA on your new device, and generate a fresh set of backup codes.

If you're an employee and can't get back in, ask your account owner or admin. They can revoke your 2FA from the dashboard so you can set it up again on your next login.

If you're an owner or admin and have lost access to your 2FA device or uninstalled your authenticator app, contact Atoa Support. We'll verify your details and help you regain access.

2FA code not working?

If your 6-digit code keeps getting rejected, the most common cause is your phone's clock being slightly out of sync.

To fix this, go to Settings → Date & Time on your phone and make sure "Set automatically" is turned on. Then try again with a fresh code.

How to change your password?

You can update your password anytime from your settings:

  • Go to Security And Control

  • Tap Change password

  • Enter your current password and tap Send verification code

  • You'll receive a one-time code (OTP) on your registered email or phone. Enter the 6-digit code

  • Enter your new password, confirm it, and tap Update password

What happens when 2FA is made mandatory for employees?

If an owner or admin enables mandatory 2FA for the organisation, here's what to expect:

  • New employees will be prompted to set up 2FA the next time they log in

  • Employees who are already logged in won't be affected until their next login session

FAQs

I entered the wrong 2FA code. What happens?

You have 3 attempts to enter the correct 6-digit code. If you exceed this, you'll see:

"Too many incorrect attempts. Please try again later or reset your password."

My account is locked after too many wrong passwords. What should I do?

If you enter the wrong password 5 times in a row, your account is temporarily locked for 20 minutes. You can wait for the countdown to finish, or reset your password straight away, which unlocks your account immediately.

What if I forget my password?

You can reset it from the login page:

  • Tap "Forgot Password?" on the password screen

  • Enter your email or phone number and tap Send Reset Code

  • Enter the 6-digit code sent to your email or phone

  • Choose a new password and confirm it

I didn't receive my reset code

Check your spam or junk folder if you don't see it in your inbox. If you're using SMS and still haven't received it, make sure your phone has signal and the number on your account is correct.

My reset link expired

Reset links are valid for 15 minutes only.

If it expires:

  • Start the reset process again from the login page

  • We’ll send you a new link

Do I need to enter a code every time I log in?

Yes, once 2FA is enabled, you'll always need your password and a 6-digit code. The only exception is if you've saved a trusted device, in which case you won't be prompted for a code on that device for 30 days.