# Configure Two-Factor Authentication using an Authenticator App

Two-factor authentication (2FA) protects the administrator account by asking for a one-time code in addition to the password. This page walks through pairing the account with an authenticator app that generates that code on your phone.

## Before you start

Install one of the supported authenticator apps on your mobile device:

- [Google Authenticator](https://support.google.com/accounts/answer/1066447?hl=en)
- [FreeOTP](https://freeotp.github.io/)
- [Twilio Authy](https://authy.com/)
- [Microsoft Authenticator](https://www.microsoft.com/en-us/security/mobile-authenticator-app)

## Turn on two-factor authentication

1. Log in to the Cloud Voice Dashboard at https://voice.izt.cloud and click **Login** to open your phone system's management portal with full administrator access. Click your account name in the top-right corner, and open **Change Password & Security > Security Settings**.
2. Select the **Two-Factor Authentication** checkbox.
3. When the **Password** window appears, type your account password and click **Confirm** to authorize the change.
4. Choose **Authenticated by Authenticator**.
5. Register the account in your authenticator app using one of the methods below.

### Option A, scan the QR code

The fastest way to pair is to let the app read the QR code shown on screen.

1. Open the authenticator app on your phone and choose the option to scan a QR code.
2. Point the camera at the QR code displayed in the portal.

   ![Cloud Voice pairing QR code being read by a phone authenticator app](/images/pbx/scan-qr-code-from-auth-app.png)

The account is added automatically and the app begins showing a rotating 6-digit code.

### Option B, enter the secret key manually

Use this method when scanning isn't possible.

1. In the portal, click **Can't scan** next to the QR code. A secret key is generated, copy it down for the next step.

   ![Secret key generated in the portal for manual authenticator setup](/images/pbx/copy-secret-key.png)

   :::caution
   Treat the secret key like a password. Anyone who copies it (or photographs the QR code) can generate valid login codes for the administrator account, so do not share it, screenshot it, or store it anywhere insecure.
   :::

2. Open the authenticator app and choose the option to add an account manually.
3. Fill in the requested details and paste the secret key.

   :::note
   If the app asks for advanced settings, use the **TOTP** protocol with the **SHA1** algorithm, a **6-digit** code, and a **30**-second refresh interval.
   :::

The account is added and the app begins showing a rotating 6-digit code.

## Finish the setup

1. Back in the portal, type the current 6-digit code into the **Authentication Code** field.
2. Click **Save**.

## What happens next

- The portal confirms with an "Edited successfully." message, meaning 2FA is now active.
- At your next sign-in, you'll enter your password and then a fresh authentication code from the app.

![Cloud Voice, sign-in prompt requesting a two-factor authentication code](/images/pbx/log-in-with-2fa-pce.png)

:::tip
On the device you use most often, select the **Trusted Device** checkbox at sign-in. That device won't ask for an authentication code again for the next 180 days.
:::

:::note[Troubleshooting]
If an extension user can't sign in with two-factor authentication, you can [disable 2FA for their extension account](/pbx/administrator-guide/manage-two-factor-authentication/#manage-two-factor-authentication__dis-for-others) so they can log in with just their username and password.
:::
