# Manage Two-Factor Authentication for the Administrator Account

Two-factor authentication (2FA) adds a second verification step at login, on top of the username and password. Once it is enabled for the administrator account, you can adjust how it works over time. This page covers removing a device you no longer trust, switching to a different verification method, and turning the feature off, either for your own account or for an extension user who has been locked out.

Each task below starts from the same place. Log in to the Cloud Voice Dashboard at https://voice.izt.cloud and click **Login** to open your phone system's management portal with full administrator access. Then click your account name in the top-right corner, and open **Change Password & Security > Security Settings**.

## Remove a trusted device

A trusted device is one you have marked so it skips the second verification step at login. If you lose one, or simply want to revoke it, take it off the list so it can no longer be used.

:::note
Removing a device from this list does not turn off two-factor authentication. It only revokes that device's trusted status, so the next time someone signs in from it they are asked to complete the second verification step again.
:::

1. Go to **Change Password & Security > Security Settings**. Your trusted devices appear under **Trusted Device List**.

   
   ![Cloud Voice, the Trusted Device List with a delete control beside each entry](/images/pbx/manage-trusted-devices.png)

2. Click the delete icon ![Delete](/images/pbx/delete.png) next to the device you want to revoke.
3. Confirm by clicking **OK** in the dialog.

## Change the two-factor authentication method

You can switch to a different verification method whenever your needs change. The available methods include an authenticator app (which generates a rotating code) and email codes.

1. Go to **Change Password & Security > Security Settings**.
2. Click the edit icon ![Edit](/images/pbx/edit.png) next to the current method.
3. Choose the method you want, then fill in the settings it requires.

:::caution
Finish setting up the new method before you rely on it, and keep access to the old one until the new method is confirmed working. If you switch to a method you cannot complete (for example, email that you no longer receive), you can lock yourself out of the administrator account.
:::

## Disable two-factor authentication

### For your own account

You can turn off two-factor authentication for the administrator account at any time.

:::caution
The administrator account controls the entire phone system, including trunks and dial plans, so turning off two-factor authentication makes it much easier for an attacker to take over the account and run up toll fraud. Leave 2FA enabled unless you have a specific reason to remove it, and re-enable it as soon as you can. The password prompt in step 3 is a safety check to confirm the change is really you.
:::

1. Go to **Change Password & Security > Security Settings**.
2. Clear the **Two-Factor Authentication** checkbox.
3. When the **Password** window appears, enter your account password and click **Confirm** to verify the change.
4. Back on the **Security Settings** tab, click **Save**.

An "Edited successfully." message confirms that two-factor authentication is now off.

### For an extension user

If an extension user can no longer complete their second verification step, for example they lost their authenticator device or can no longer receive codes by email, you can disable two-factor authentication on their account so they can sign in with just a username and password.

1. Log in to the Cloud Voice Dashboard at https://voice.izt.cloud and click **Login** to open your phone system's management portal, then go to **Extension and Trunk > Extension**.
2. Click the edit icon ![Edit](/images/pbx/edit.png) next to the extension, then open the **Security** tab.
3. Scroll to the **Login Security** section and clear the **Two-Factor Authentication** checkbox.
4. When the **Password** window appears, enter your account password and click **Confirm** to verify the change.
5. Click **Save**.

Two-factor authentication is now disabled for that extension account.

:::note
The **Password** window in step 4 asks for your administrator password, not the extension user's password. It confirms that you, the administrator, authorized the change.
:::

:::tip
Once the user regains access to their device or email, have them turn two-factor authentication back on and re-enroll, so their account is protected again.
:::
