Two-Factor Authentication (2FA) adds a powerful second layer of protection to your account. Even if someone gains access to your email or Connected Account, they won't be able to enter the Lobby without the rotating code from your authenticator app.
What is Two-Factor Authentication?
2FA requires two separate forms of verification before granting access to your account:
- Your primary login â email OTP, Magic Link, OAuth, or Passkey.
- A time-based code â generated by an authenticator app on your phone.
This means that even if your email account is compromised, an attacker cannot complete sign-in without physical access to your authenticator device.
TIP
We recommend using a trusted authenticator app such as Google Authenticator, Authy, 1Password, or Microsoft Authenticator. These are available free on both iOS and Android.
Enabling 2FA
Setting up Two-Factor Authentication takes less than a minute:
- Navigate to Settings > Privacy & Security.
- Locate the Two-Factor Authentication row and tap Enable 2FA.
- A QR code will appear on screen. Open your authenticator app and scan the code.
- Your authenticator app will begin generating 6-digit codes that refresh every 30 seconds.
- Enter the current code into the verification field and tap Verify & Enable 2FA.
- Once verified, 2FA is active on your account immediately.
IMPORTANT
Save or screenshot the QR code during setup. If you lose access to your authenticator device, you will need it to re-enroll on a new device. We do not store your secret key in a recoverable format.
Signing In with 2FA
Once 2FA is active, your login flow changes slightly:
- Sign in as usual â via email OTP, Magic Link, Google, Apple, or any Connected Account.
- After your primary identity is verified, you'll be prompted for a 6-digit verification code.
- Open your authenticator app, read the current code, and enter it.
- You're in.
NOTE
Each code is valid for 30 seconds. If a code expires while you're typing, simply wait for the next one and enter that instead.
Disabling 2FA
If you need to turn off Two-Factor Authentication:
- Navigate to Settings > Privacy & Security.
- In the Two-Factor Authentication row, tap Disable 2FA.
- Enter your current authenticator code to confirm the action.
- 2FA is immediately removed from your account.
WARNING
Disabling 2FA reduces your account security. We strongly recommend keeping it enabled, especially if your account is linked to a Malet or if you process Murchases regularly.
2FA vs. Passkeys
Both features protect your account, but they work differently:
| Feature | Passkeys | Two-Factor Authentication |
|---|---|---|
| What it does | Replaces your primary login entirely | Adds a second step after your primary login |
| How it works | Biometric (Touch ID, Face ID) or security key | Time-based code from an authenticator app |
| Phishing protection | â Built-in (cryptographic origin binding) | â ī¸ Codes can be intercepted in real-time phishing |
| Best for | Fast, daily sign-ins on trusted devices | Maximum security on shared or untrusted environments |
TIP
For the strongest protection, enable both a Passkey and 2FA. The Passkey gives you frictionless daily access, while 2FA provides a safety net if someone ever compromises your Connected Account credentials.
Troubleshooting
I lost my authenticator device
If you no longer have access to your authenticator app, contact Mallnline Support with your registered email address. After verifying your identity through alternative means, our team can manually reset your 2FA enrollment so you can re-enroll on a new device.
My codes aren't working
Authenticator codes are time-sensitive. Ensure your phone's clock is set to automatic (synced with network time). Even a 30-second drift can cause codes to fail.
Can I use SMS instead of an authenticator app?
SMS-based 2FA is on our roadmap but is not yet available. For now, a TOTP authenticator app is the supported method.