TaxItEasyTaxItEasy
Sign in Get started — free
Browse the knowledge base

How do I enable two-factor authentication?

all Updated Thu May 21 2026 00:00:00 GMT+0000 (Coordinated Universal Time)

Settings → Account → Two-Factor Authentication. Click Enable, scan the QR code with any TOTP-compatible authenticator (Google Authenticator, 1Password, Authy, Microsoft Authenticator), enter the 6-digit code to confirm, then save the 8 recovery codes somewhere safe. 2FA is free on every plan, including Free.

When to enable 2FA

You should enable it before you do anything sensitive with the account: connecting a bank, inviting a tax advisor, uploading the first batch of real invoices. Tax data is among the most sensitive personal data you own — under GDPR it sits one notch below medical records. A leaked or guessed password alone shouldn't be enough for an attacker to log in.

The flow takes about a minute and the only thing you need from outside the app is an authenticator app on your phone or in your password manager. It is free on every plan, including Free.

What "two-factor" actually means here

TaxItEasy uses TOTP (Time-based One-Time Password, RFC 6238). Your authenticator app holds a shared secret with us and produces a 6-digit code that rotates every 30 seconds. To sign in, you need both your password and the current code. The shared secret never leaves your phone after the initial QR scan; we don't see the code-generation key on subsequent logins, only the 6-digit code you submit.

We do not support SMS as a second factor and never will. SIM-swap attacks are a documented and growing risk vector; TOTP closes that hole. If your authenticator app supports cloud backup (1Password, Authy, iCloud Keychain), use it — that's the modern recommendation, because losing the phone without a backup is a much more common problem than the theoretical risks of cloud-synced 2FA secrets.

The walk-through

Step 1 — open the settings page

In the app, go to Settings → Account → Two-Factor Authentication. You'll see the current state (Disabled if you haven't set it up yet) and an Enable 2FA button.

Step 2 — start the pairing

Click Enable 2FA. The screen shows a QR code, plus a manual setup key (a base32 string of about 26 characters). You only need one of them — most people scan the QR. The manual key is there for situations where the authenticator app can't scan codes (Apple Watch, certain hardware tokens, etc).

The shared secret has just been generated for you; it is shown only on this screen. If you close the page without finishing, you have to click Enable 2FA again and we'll mint a new secret.

Step 3 — pair your authenticator

Open your authenticator app of choice:

  • Google Authenticator (iOS/Android) — tap +Scan a QR code → point at the screen.
  • 1Password — edit the TaxItEasy login (or create a new one), and in the One-Time Password field paste the manual setup key or tap the QR-code icon to scan.
  • Authy — tap Add AccountScan QR code.
  • Microsoft Authenticator — tap +Other (Google, Facebook, etc.)Scan a QR code.
  • iCloud Keychain / Passwords (iOS 17+) — for the TaxItEasy entry, tap Set Up Verification Code and scan.

Any RFC-6238 TOTP app works. There is no "TaxItEasy-only" authenticator app, and using a non-standard one would actually be a bad sign.

Step 4 — confirm the pairing

The authenticator now shows a 6-digit code that changes every 30 seconds. Enter the current code on our setup screen and click Verify. If it's accepted, the page reloads with 2FA enabled and a list of recovery codes.

If the code is rejected and you're sure you typed it correctly, your phone clock might be drifting. TOTP is time-based; even 30 seconds of drift causes failures. Make sure automatic date/time is enabled on your phone and try again.

Step 5 — save your recovery codes

This is the step people regret skipping. You get 8 single-use recovery codes — short alphanumeric strings. Each code works exactly once and replaces the 6-digit code if you ever lose your authenticator app.

Save them somewhere you'll actually find them in a year:

  • A password manager (1Password, Bitwarden, KeePass) — best option; same place as your TaxItEasy password.
  • An encrypted note on your laptop.
  • A printed copy in a desk drawer or safe — fine, just don't put it on a sticky note on the laptop itself.

Treat them like a backup password. Anyone with one of them can sign in if they also have your password. When you've used up all 8, generate fresh ones from the same settings page; old ones are invalidated in the same transaction.

If you ever do need to use a recovery code, follow how to use 2FA recovery codes.

After it's enabled

Every sign-in now asks for the 6-digit code after the password. The session length is unchanged — 30 days on a "remember this device" browser, 12 hours otherwise. You can disable 2FA from the same Settings page at any time (it asks for the current 6-digit code first, so an attacker with only your password can't undo it).

If you sign in on a new device or browser, you'll be asked for the code on first login there. Existing sessions on already-logged-in devices stay valid; we don't force-logout when 2FA is added, but we recommend reviewing Settings → Account → Active sessions and signing out anywhere you don't recognise.

Troubleshooting

The 6-digit code is rejected even though I typed it carefully. Phone-clock drift is the cause about 90% of the time. Open your phone settings, turn on automatic date/time, wait 10 seconds, then try a fresh code. If automatic time is already on and the code is still rejected, your authenticator app's pairing is corrupt — delete the TaxItEasy entry in the app and re-pair.

I lost my phone. Use a recovery code. Sign in with email + password, then on the 6-digit prompt click Use a recovery code and enter one of the 8 you saved. Once in, immediately go to Settings → Account → Two-Factor Authentication and disable + re-enable 2FA on your new phone. The old pairing is invalidated.

All my recovery codes are gone. Email [email protected] from the email address on the account. We verify your identity (typically a few back-and-forth questions: signup date, last invoice you uploaded, a billing receipt number) and reset 2FA on our side. SLA: 1–3 working days. There is no automated bypass; this is intentional.

My authenticator app got wiped without backup. Same as losing the phone — use a recovery code if you have one, or email support if you don't. The pairing on our side is unchanged; the problem is only that your app no longer has the shared secret.

I want to keep 2FA codes in two apps (backup). Possible but riskier. Scan the QR code into both apps before clicking Verify. Both will then generate identical codes. Don't lose either device.

Related

Didn't answer your question? Write to [email protected] · the AI chat in the bottom-right corner answers most common questions.