# Configure Two-factor Authentication using Authenticator Application

Two-factor authentication adds a second check to your login: after your password, you also supply a short code generated by an authenticator app on your phone. This page walks you through turning it on from the Cloud Voice App Web Client.

:::note
Once enabled, two-factor authentication applies to every Cloud Voice App client you sign in to, not just the Web Client.
:::

## Before you start

Install one of the following authenticator apps on your mobile phone:

- Google Authenticator
- FreeOTP
- Twilio Authy
- Microsoft Authenticator

## Turn on two-factor authentication

1. In the Cloud Voice App Web Client, click your account name in the top-right corner, then choose **Change Password & Security > Security Settings**.
2. Select the **Two-Factor Authentication** checkbox.
3. When the **Password** window appears, type your account password and click **Confirm** to verify the change.
4. Choose **Authenticated by Authenticator**.
5. Register your account in the authenticator app using either the QR code or the secret key.

   **Scan the QR code (fastest)**

   1. Open the authenticator app on your phone and choose the option to scan a QR code.
   2. Scan the code displayed in the Web Client.

      ![QR code shown in the Web Client for adding your account to an authenticator app](/images/pbx/scan-qr-code-from-auth-app.png)

      The app adds your account automatically and begins showing a 6-digit code.

   **Enter the secret key manually**

   Use this method if you cannot scan the code.

   1. Click **Can't scan** next to the QR code. A secret key appears below the code; write it down for the next step.

      ![Secret key revealed beneath the QR code for manual entry](/images/pbx/copy-secret-key.png)

   2. Open the authenticator app on your phone and choose the option to add an account manually.
   3. Fill in the requested details and paste the secret key.

      :::note
      If the app asks for additional token settings, use the **TOTP** (Time-based One-Time Password) protocol with the **SHA1** algorithm, a **6-digit** code length, and a **30**-second refresh interval. These must match exactly or the codes the app generates will be rejected.
      :::

      Once saved, the app begins showing a 6-digit code for your account.

6. Back in the Web Client, type the current 6-digit code into the **Authentication Code** field.
7. Click **Save**.

## What happens next

- The Web Client displays **Edited successfully.**, confirming that two-factor authentication is active.
- From now on, signing in to any Cloud Voice App client (Web, Desktop, or Mobile) with your extension email address and password also prompts you for an authentication code.

:::caution
If you can no longer generate codes, for example because you lost your phone, ask your system administrator to disable two-factor authentication on your account. You can then sign in with just your email address and password.
:::
