Costello/Docs
Dashboard
← All docs

Two-factor authentication (2FA)

How to enable 2FA on your Costello account to protect against unauthorised access.

Two-factor authentication (2FA)

Two-factor authentication adds a second step to your login — a time-based code from an authenticator app — so that a stolen password alone isn't enough to access your account.

We strongly recommend enabling 2FA, especially for Owner and Admin accounts that have access to billing and channel settings.

Before you start

You'll need an authenticator app on your phone. Any TOTP-compatible app works:

  • Google Authenticator (iOS / Android)
  • Authy (iOS / Android / desktop)
  • 1Password (if you use it as a password manager)
  • Apple Passwords (iOS 18+)

Enabling 2FA

  1. Go to Settings → Account → Security.
  2. Click Enable two-factor authentication.
  3. Open your authenticator app and scan the QR code, or manually enter the setup key shown.
  4. Enter the 6-digit code from the app to confirm it's working.
  5. Save your backup codes. You'll see 10 single-use backup codes — copy them to a safe place (a password manager is ideal). These are the only way to recover access if you lose your phone.
  6. Click Finish setup.

2FA is now active. You'll be asked for a code on every new login.

Logging in with 2FA

After entering your email and password as normal, you'll be prompted for a 6-digit code. Open your authenticator app, find the Costello entry, and enter the current code. Codes refresh every 30 seconds.

Using a backup code

If you've lost access to your authenticator app, click Use a backup code on the 2FA prompt and enter one of the 10 single-use codes you saved during setup. Each code works once — once used, it's gone.

If you've used all backup codes and lost your authenticator app, submit a support case → — identity verification is required to restore access.

Disabling 2FA

  1. Go to Settings → Account → Security.
  2. Click Disable two-factor authentication.
  3. Enter your current password and a valid 2FA code to confirm.

Disabling 2FA removes the second-step requirement immediately.

If a team member is locked out

Only the user themselves can manage their own 2FA. Workspace Owners and Admins cannot disable 2FA on behalf of another team member. Direct them to submit a support case → with proof of identity.

Next steps

Still stuck? Submit a case →

Was this helpful?
Still stuck? Submit a case →