# Configure Two-Factor Authentication with an Authenticator App

Two-factor authentication adds a second check to your account login: after your password, you also supply a short code produced by an authenticator app on your phone. This page walks through turning that on from the desktop client.

:::note
Whatever you configure here covers your entire account. Once two-factor authentication is enabled, every Cloud Voice App client you sign in to enforces it.
:::

## Before you begin

Install a supported authenticator app on your mobile phone. Any of these will work:

- Google Authenticator
- FreeOTP
- Twilio Authy
- Microsoft Authenticator

## Turn on two-factor authentication

1. In the desktop client, select your account in the top-right corner, then open **Change Password & Security > Security Settings**.
2. Tick the **Two-Factor Authentication** checkbox.
3. When the **Password** dialog appears, type your account password and click **Confirm** to authorize the change.
4. Choose **Authenticated by Authenticator**.
5. Register your account in the authenticator app using one of the two methods below.

   **Option A, Scan the QR code (fastest)**

   1. Open the authenticator app on your phone and choose to scan a QR code.
   2. Point your phone at the QR code displayed in the desktop client.

      ![QR code shown in the desktop client for pairing an authenticator app](/images/pbx/scan-qr-code-from-auth-app.png)

      The app registers your account on its own and immediately starts showing a 6-digit code.

   **Option B, Enter a secret key manually**

   Use this if scanning isn't possible.

   1. In the desktop client, click **Can't scan** next to the QR code. A secret key appears beneath it, write it down.

      ![Secret key revealed below the QR code for manual authenticator setup](/images/pbx/copy-secret-key.png)

      :::caution
      Treat the secret key like a password. Anyone who obtains it can generate valid codes for your account, so do not photograph it, share it, or leave it written where others can see it. Discard your note once setup is finished.
      :::

   2. Open the authenticator app on your phone and choose to add an account manually.
   3. Fill in the account details and paste the secret key.

      :::note
      If the app asks for advanced settings, use the **TOTP** (Time-based One-Time Password) protocol with the **SHA1** algorithm, a **6**-digit code length, and a **30**-second refresh interval. These values must match exactly, otherwise the codes the app generates will be rejected.
      :::

      Your account is added and a 6-digit code appears.

6. Back in the desktop client, type the current 6-digit code into the **Authentication Code** field.
7. Click **Save**.

## What happens next

- An **Edited successfully.** confirmation means two-factor authentication is now active.
- From now on, signing in to any Cloud Voice App client, web, desktop, or mobile, with your extension email address and password also prompts you for an authentication code.

:::caution
If you ever lose access to your codes (for example, you misplace your phone or can no longer receive the code), ask your system administrator to turn off two-factor authentication for your account. You can then sign in with just your email address and password.
:::
