All users

Account security & two-factor authentication

Two-factor authentication (2FA) adds a second layer of protection to your account. Even if your password is compromised, a bad actor still can't sign in without your authenticator app.

Enabling two-factor authentication

Before you start, install an authenticator app on your phone: Google Authenticator, Authy, 1Password, Microsoft Authenticator, or any TOTP-compatible app.

Go to Settings → Profile → Two-factor authentication.
Click Enable 2FA.
Scan the QR code with your authenticator app. Your account will appear as qr-manager.ai: your@email.com.
Enter the 6-digit code shown in the app to confirm setup.
Save your backup codes (see below).

Tip: Once 2FA is enabled you'll be prompted for a code on every new login — including Google sign-in users.

Backup codes

After enabling 2FA, you'll receive 8 backup codes. Each code can only be used once. They let you sign in if you lose access to your authenticator app.

Click Download backup codes to save them as a .txt file.
Store backup codes in a password manager, printed in a safe, or another secure offline location.
Once all codes are used, disable and re-enable 2FA to generate a fresh set.
Using a backup code counts as successful 2FA — you'll be signed in normally.

Warning: If you lose your phone and run out of backup codes you will be locked out of your account. Contact support for account recovery options.

Signing in with 2FA

The sign-in flow varies slightly depending on how you authenticate:

Email & password login

Enter your email, then your password.
Check Remember me if this is your personal device (skips 2FA for 30 days).
You're redirected to a 2FA challenge screen — enter the 6-digit code from your app.
Submit and you're signed in.

Google sign-in

Sign in with Google as normal.
You're redirected to the 2FA challenge screen.
Check Remember me if this is your personal device, then enter your 6-digit code.
Click Verify and you're signed in.

Trusted devices ("Remember me")

Checking Remember me marks your current browser as trusted for 30 days. On trusted devices, the 2FA challenge is skipped on subsequent sign-ins — you go straight to the dashboard after entering your password (or after Google sign-in).

How it works

A secure token is stored in your browser. On sign-in, the server validates the token and issues a session without requiring 2FA again.

Where to check it

For email/password: the checkbox appears above the Sign in button. For Google: it appears above the Verify button on the 2FA screen.

Duration

Trusted for 30 days from when you checked the box. After that you'll be prompted for 2FA again.

Revoking a trusted device

Go to Settings → Profile → Two-factor authentication → Trusted devices. You can revoke individual devices from there — useful if you accidentally trusted a shared or public computer.

Warning: Never check Remember me on a shared, public, or work-managed computer that others have access to.

Disabling two-factor authentication

You can disable 2FA from Settings → Profile → Two-factor authentication. You'll need to enter a valid 6-digit code from your authenticator app to confirm.

Note: Disabling 2FA also revokes all trusted devices. Next time you sign in you won't need a code — but your account will be less secure. We recommend re-enabling it as soon as possible.

Lost access to your authenticator

If you still have backup codes, use one instead of the 6-digit code at the 2FA prompt — click Use a backup code instead on the verification screen.

If you've used all backup codes and lost your authenticator, contactsupport with proof of account ownership. Recovery may take 1-2 business days for security reasons.

Tip: Save your backup codes now — before you need them.

← All docs Reports & analytics →