Two-Factor Authentication

You have analytics data you don’t want anyone else accessing. A stolen password alone should never be enough to break in. HitKeep supports two second-factor methods: TOTP (time-based one-time passwords, compatible with any authenticator app) and Passkeys (WebAuthn, compatible with hardware security keys, Face ID, Touch ID, and Windows Hello). You can also generate recovery codes as one-time backup factors for account recovery.

Settings → Security — TOTP authenticator app and hardware Passkey enrollment.

TOTP (Authenticator App)

TOTP is compatible with Google Authenticator, Aegis, Bitwarden Authenticator, 1Password, and any RFC 6238-compliant app.

Setup

1. Open Settings → Security in the HitKeep dashboard.
2. Under Two-Factor Authentication, click Set up authenticator app.
3. Scan the QR code with your authenticator app.
4. Enter the 6-digit code displayed in your app to confirm.

TOTP is now active. On future logins you will be prompted for the current code after entering your password.

REST API Reference

• Start TOTP setup
• Verify TOTP setup

Disable TOTP

API reference:

• Disable TOTP

Passkeys (WebAuthn)

Passkeys replace your password entirely with a cryptographic credential stored on your device. Supported authenticators include:

• Hardware keys: YubiKey 5, FIDO2 USB keys
• Platform authenticators: Apple Face ID / Touch ID, Android biometrics, Windows Hello

Setup

1. Open Settings → Security in the HitKeep dashboard.
2. Under Passkeys, click Add passkey.
3. Follow your browser’s prompt to register your authenticator.

Once registered, you can log in by clicking Sign in with a passkey on the login page — no password needed.

The login screen exposes passkey sign-in directly, so enrolled users can authenticate without typing a password first.

REST API Reference

• Start passkey registration
• Finish passkey registration
• Delete a passkey

Passkey Login

API reference:

• Start passkey login
• Finish passkey login

Recovery Codes

Recovery codes are single-use backup codes for the case where you still know your password but no longer have your authenticator app or passkey device.

Generate recovery codes

1. Open Settings → Security in the HitKeep dashboard.
2. Under Recovery codes, click Generate codes or Regenerate codes.
3. Store the displayed codes immediately.
4. Use Copy all or Download .txt to keep them somewhere safe.

Caution

Recovery codes are shown only when you generate or regenerate them. HitKeep stores only secure hashes of the codes and cannot reveal them later.

Use a recovery code at login

1. Enter your email address and password.
2. On the MFA screen, choose Use recovery code.
3. Enter one of your unused recovery codes.

Each recovery code can be used exactly once.

REST API Reference

• Regenerate recovery codes
• Verify an MFA recovery code

Emergency Recovery

If another instance owner is still able to log in, they can reset MFA for a locked-out user from Administration → Users → Disable MFA. This is an online, owner-only action and is the preferred operator workflow for cloud deployments.

If no owner can log in, the offline CLI recovery command is still available as break-glass recovery:

hitkeep recover disable-2fa --email user@example.com

See the Recovery Guide for full details.

Related

• Recovery Guide
• Permissions & Roles
• Configuration Reference

Prefer not to manage authentication infrastructure yourself? HitKeep Cloud → handles backups, security updates, and account recovery automatically.