Setting up two-factor authentication (2FA)
2FA adds a second layer to your sign-in: even if someone steals your password, they can't sign in without your phone (or hardware key).
We strongly recommend enabling 2FA for every FormationHub account. Your account contains sensitive business and personal information; 2FA is the single most effective protection against account takeover.
Why 2FA matters
Without 2FA: - An attacker who steals your password (phishing, data breach at another site, etc.) has full access to your account - They can change your password, lock you out, download your documents, even file changes to your LLC
With 2FA: - Stolen password is useless without the second factor - Phishing becomes much harder - Most "data breach" risk is neutralized
Types of 2FA we support
1. Authenticator app (recommended)
Apps: Authy, Google Authenticator, 1Password, Microsoft Authenticator, Bitwarden
Time-based 6-digit codes that rotate every 30 seconds
Works without internet connection after initial setup
Most secure option
2. SMS (text message)
Code sent to your phone via text
Easier to set up, but vulnerable to SIM-swap attacks
We support it but recommend authenticator app instead
3. Hardware security key (coming Q2 2026)
YubiKey, Titan Key, etc.
Most secure option
Requires physical key on hand
How to set up authenticator-app 2FA
Step 1: Choose an app
If you don't already have one: - 1Password ($3-5/month) — recommended if you don't have a password manager - Authy (free) — recommended if you want cross-device sync - Google Authenticator (free) — simple, works with Android + iOS
Install on your phone via App Store / Google Play.
Step 2: Open FormationHub 2FA settings
Sign in: https://www.formationhub.com/member
Go to Account Settings → Security
Click Enable 2FA under "Two-factor authentication"
Choose "Authenticator app"
Step 3: Scan the QR code
We display a QR code. In your authenticator app: 1. Tap the "+" or "Add" button 2. Choose "Scan QR code" 3. Point your phone camera at the QR code on screen 4. The app saves the FormationHub entry
Step 4: Verify
Your authenticator app now shows a 6-digit code that rotates every 30 seconds.
Back in FormationHub, enter the current code
Click "Verify"
If it matches, 2FA is enabled!
Step 5: Save backup codes
We show 10 single-use backup codes. Save these somewhere safe (password manager, printed and locked away).
These are your fallback if you lose your phone. Each code works once. Once you use one, it's gone.
How to set up SMS 2FA
Step 1: Verify your phone number
Account Settings → Security → "Phone number" should show a verified number
If not, follow Updating your account info → Phone number section
Step 2: Enable SMS 2FA
Account Settings → Security → Enable 2FA → Choose "SMS"
We send a test code to your phone
Enter it to verify
SMS 2FA is enabled
Step 3: Save backup codes
Same as authenticator-app setup. Save the 10 backup codes.
Using 2FA on sign-in
After enabling 2FA, every sign-in goes: 1. Email + password 2. 6-digit code from your authenticator app (or SMS) 3. Signed in
If you check "Trust this device for 30 days," we won't ask again on that device for 30 days. Don't use this on shared / public computers.
Switching phones
When you get a new phone:
If you used Authy or 1Password (cloud sync)
Sign in to Authy / 1Password on the new phone
The FormationHub entry syncs automatically
Done
If you used Google Authenticator (no cloud sync until recently)
On old phone: Google Authenticator → tap menu → Transfer accounts → Export
On new phone: install Google Authenticator → Import accounts → scan the QR code from old phone
If you lost / broke the old phone before setting up the new one
Use one of your backup codes to sign in
Once signed in, disable 2FA, then re-enable on the new phone
This generates a new QR code + new set of backup codes
If you have NEITHER the phone NOR backup codes
Don't panic. We have a recovery process: 1. Open a chat with us 2. We verify your identity (3-5 questions about your account + a photo of your government ID matching the responsible-party name) 3. We disable 2FA on your account 4. You sign in with password, set up new 2FA
This process takes 1-4 hours during business hours. Hardware-key 2FA (coming Q2 2026) will reduce this hassle.
Common questions
"Should I enable 2FA on a brand-new account?"
Yes, immediately after first signup. The longer you wait, the more time an attacker has to steal your password elsewhere.
"Why can't I just use email-based 2FA?"
Email-based "2FA" isn't really 2FA — if someone gets your email password, they get both factors. We don't support it.
"Does 2FA slow me down?"
Marginally — 5 seconds per sign-in. With "trust this device for 30 days" checked, it's only on first sign-in per device or every 30 days.
"What if I'm in a country with intermittent cell service?"
Authenticator-app 2FA works offline. SMS 2FA does not. If you travel internationally often, use the app option.
"Can I have 2FA on AND a remembered device?"
Yes. The remembered-device cookie is your "third factor" — even though 2FA is required for new devices, trusted devices skip the second prompt for 30 days.
"Can I disable 2FA later if I change my mind?"
Yes, anytime. Account Settings → Security → Disable 2FA. We require your current password + a current 2FA code to disable, for safety.
Recommended security setup
A solid security baseline for any FormationHub customer:
[ ] Unique password (12+ chars, generated by password manager)
[ ] 2FA enabled (authenticator app preferred)
[ ] Backup codes saved (in password manager or printed + locked)
[ ] Phone number verified
[ ] Recovery email set (a different email you control)
[ ] Marketing emails: as desired
[ ] Transactional emails: cannot be disabled (you'll always get filing updates)
Estimated time to do all this: 10 minutes.
Next steps
Enable 2FA now: https://www.formationhub.com/member/settings/security
Choose your authenticator app: 1Password, Authy, Google Authenticator
Save your backup codes somewhere safe
If anything goes wrong: open a chat (M-F 9am-6pm ET)