# Two-Factor Authentication (2FA)

Two-Factor Authentication (2FA) is an additional security layer that protects your EMQX Cloud member accounts. When 2FA is enabled, you'll need to enter a verification code generated by an authenticator app in addition to your username and password to log in.

## Important Notes

- [Member accounts](./user.md#member-account-system) must be in an active state to configure 2FA. After configuration, a verification code is required for every login.
- Users who have already configured 2FA cannot set it up again.
- Please keep your authenticator app secure. Member accounts cannot delete or reset 2FA on their own. Contact the root user if you need to delete it.
- Only the root user can delete 2FA. Member accounts cannot perform this operation, even member accounts with administrator privileges.
- Accounts with [Single Sign-On (SSO)](./sso_overview.md) enabled cannot enable 2FA.

## Configure 2FA for Root User

Root users can secure their accounts with 2FA using either an email verification code or a mobile authenticator app.

1. Log in to the EMQX Cloud Console with the root account.
2. Click **Settings** from the left menu.
3. Select the **Security** tab and click the **Security** card. You will be directed to an account settings page.
4. Navigate to the **Two-Factor Authentication** section on the page. Select your preferred method for 2FA:
   - **Email Message**: A one-time code will be sent to your account email.
   - **Authenticator App**: Scan a QR code with an app like Google Authenticator or Microsoft Authenticator.

5. Follow the on-screen instructions to complete the setup.

   It's recommended to test the login immediately after configuration to ensure the authenticator app is working properly.

After enabling 2FA, click **Cloud Console** from the account menu in the upper-right corner to return to the platform.

## Configure 2FA for Member Account 

1. Open the Team Member Sign-in page, and log in using the member account.
2. Click **Settings** from the left menu.
3. Select **Two-factor Authentication**.
4. Follow the on-screen instructions to complete the setup.
   
   It's recommended to test the login immediately after configuration to ensure the authenticator app is working properly.

## Lost Authenticator Handling

If a member user loses their authenticator app, follow these steps:

1. Contact the root user.
2. The root user should locate the corresponding member account in the **Team** page.
3. Click the **Remove 2FA** option in the **Actions** column.
4. After successful deletion, the member user can reconfigure 2FA.

## Additional Notes

- Ensure you have a reliable network connection when configuring 2FA.
- It's recommended to keep backups of your authenticator app on multiple devices.
- Regularly check if your authenticator app is functioning properly.
- If you change phones or uninstall the authenticator app, make sure to contact the root account administrator in advance.