---
title: Two-factor authentication
description: Enable TOTP, phone, or recovery codes to secure your DistantRace account
order: 49
---

# Two-factor authentication

**Two-factor authentication (2FA)** adds a second check when you log in. It is **optional for participants** but **required for organizer console access**.

**Path:** [Account → Two-factor authentication](https://distantrace.com/en/accounts/2fa/) — also linked from [Profile](https://distantrace.com/en/accounts/profile/) as **Manage two-factor authentication**.

## Why enable 2FA

- Protects your profile, registrations, and payment history
- **Required** to use the [organizer console](../running-events/access-the-organizer-console.md) after the grace period (see below)

You can register for and participate in events without 2FA. Only organizer and admin areas enforce it.

## Setup options

| Method | How it works |
|--------|----------------|
| **Authenticator app (TOTP)** | Scan a QR code with Google Authenticator, Authy, or similar |
| **Phone (SMS)** | Verify your number once, then receive login codes by text (Twilio Verify) |
| **Recovery codes** | One-time backup codes if you lose your device — generate from `/accounts/2fa/recovery-codes/` |
| **Passkey** | Separate from the 2FA page — see [Sign-in options](sign-in-options.md) for passkey login |

Follow the on-screen steps at `/accounts/2fa/` to activate your preferred method. Phone setup may pre-fill the number from your participant profile.

## Logging in with 2FA

After email/password (or social login), DistantRace prompts for your second factor at `/accounts/2fa/authenticate/` — app code, SMS, or recovery code.

If **only SMS** is configured, DistantRace sends a code automatically when the authenticate page loads. The page shows a masked phone number (for example `+371***12`).

## Recovery codes

Generate and **download recovery codes** when you set up 2FA. Store them offline. Each code works once if you cannot access your phone or authenticator app.

## Organizers

If you manage events, enable 2FA before console access is blocked:

1. After your **first event** is created, you get a **7-day grace period** — the console still works, but a banner shows days remaining and links to 2FA setup.
2. After grace expires, manager pages (except the event picker landing) are blocked until 2FA is enabled.

The block message reads: *Please enable Two-Factor Authentication if you want to continue to use console views.*

## Related

- [Sign-in options](sign-in-options.md)
- [Delete your account](delete-your-account.md)
