> For the complete documentation index, see [llms.txt](https://docs.exavault.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.exavault.com/using-exavault/users/two-factor-authentication-2fa.md).
# Two-Factor Authentication (2FA)
Two-factor authentication (2FA) adds a second credential to the login flow, so a stolen password alone isn't enough to access an account. As a form of multi-factor authentication, it requires users to provide two different types of credentials to log in:
1. Something they know, typically their password.
2. Something they have, such as a smartphone, email account, or an authenticator app.
Enabling 2FA is one of the most effective ways to protect your data and reduce the risk of unauthorized access to your ExaVault account.
When enabled, two-factor authentication applies to logins to the web interface. After entering their username and password, users are prompted for a second verification method, depending on their chosen 2FA setup.
## Who Can Use 2FA
Any user who can set their own password can also configure 2FA from their User Profile. Each user manages their own 2FA setup; neither administrators nor other users can view or modify another user's 2FA configuration. 2FA credentials stay private even from administrators.
## Is 2FA Required?
2FA is optional. If your organization requires 2FA for compliance or internal security policies, each user must enable and configure 2FA on their own account.
ExaVault does not have a setting that mandates 2FA across all users. Adoption is driven through policy or onboarding workflows.
## Supported 2FA Methods
ExaVault offers three methods your users can choose from to meet their needs.
### Authenticator Apps
These are apps that use TOTP (time-based one-time password), such as Google Authenticator, Duo, and Authy. Authenticator apps are typically installed and used on mobile devices.
If you've lost access to your authenticator app, you can receive a backup code via email during the login process.
### SMS (Text Messages)
This method is less secure than an authenticator app but still offers greater security than a password alone.
If you've lost access to your phone, you can receive a backup code via email during the login process.
### Email Verification
With this method, the user supplies a code sent to them via email each time they attempt to connect. Like SMS, email-based 2FA is less secure than other options but still better than relying on a password alone.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://docs.exavault.com/using-exavault/users/two-factor-authentication-2fa.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.