Two-factor authentication (2FA) is one of the most effective defenses against unauthorized access to the OwnPay admin panel. Even if your password is compromised, an attacker cannot log in without physical access to your authenticator app. OwnPay uses the Time-based One-Time Password (TOTP) standard, compatible with apps such as Google Authenticator, Authy, and Bitwarden Authenticator.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/own-pay/OwnPay-Documentation/llms.txt
Use this file to discover all available pages before exploring further.
Enabling 2FA on Your Account
2FA is configured per account from the My Account settings page. Navigate there to enable or disable 2FA on your user profile. The super-administrator should ensure 2FA is active on all privileged accounts.Once 2FA is enabled, it cannot be bypassed at login. If you lose access to your authenticator device and have no backup recovery keys, a super-administrator must manually revoke and re-enable 2FA on your account from the Staff settings page.
Using 2FA at Login
Each time you log in with a 2FA-enabled account, you are automatically redirected to the/2fa verification screen after entering your password correctly.
Complete the standard login
Enter your Email or Username and Password on the login page and click Sign In.
Open your authenticator app
On your mobile device, open the authenticator app and find the OwnPay entry.
Read the current 6-digit code
Note the active 6-digit code. Each code is valid for a 30-second window. If the timer is nearly expired, wait for the next code to appear before typing — this avoids submitting an expiring code.
Enter the code and verify
Type the 6-digit code into the Verification Code field on the 2FA screen, then click Verify. Upon success, you are redirected to the Dashboard.
2FA Verification Fields Reference
| Field / Option | Required | Description |
|---|---|---|
| Verification Code | Yes | The 6-digit numeric code generated by your authenticator app for the current 30-second window. |
| Verify | — | Submits the code to complete the login session. |
| Cancel & Logout | No | Cancels the authentication flow entirely and returns you to the login page. Use this if you cannot complete 2FA (e.g. on a public computer). |
How the TOTP System Works
Clock Drift Tolerance
Clock Drift Tolerance
The server accepts codes from the current 30-second time slice as well as the one immediately before and after it — effectively allowing up to 60 seconds of tolerance. This gracefully handles minor clock differences between your device and the server without compromising security. However, keeping your device time set to automatic/network time is strongly recommended.
Replay Protection
Replay Protection
Once a TOTP code is used successfully, it is invalidated immediately and cannot be reused within the same time window. The system tracks the last used time slice to prevent session hijacking via code interception.
Rate Limiting
Rate Limiting
Submitting too many invalid codes will trigger the rate limiter and lock you out from further attempts for 5 minutes. This prevents brute-force attacks against the 6-digit code space.
Recovery Considerations
If you lose access to your authenticator app, recovery requires administrator intervention — there is no self-service bypass.Protect Your Backup Keys
Never share your 2FA secret key or backup recovery keys with anyone. Do not expose them to unauthorized users or transmit them over unencrypted channels.
Admin-Assisted Recovery
If you lose access to your authenticator device and cannot recover independently, a super-administrator can revoke the 2FA secret from the Staff settings page, allowing you to re-enable 2FA on your next login.
Troubleshooting
| Symptom | Likely Cause | Fix |
|---|---|---|
Invalid or expired 2FA code | Device clock is out of sync, or the code expired before submission. | Set your phone’s time to automatic/network time. Then wait for the next fresh code and enter it quickly. |
2FA secret could not be decrypted | Server decryption key mismatch — typically after a key rotation. | Contact your super-administrator to revoke and re-enable 2FA on your account. |
Rate limit exceeded | Too many incorrect code submissions in a short period. | Wait 5 minutes, then log in again from the start. |
| Lost authenticator app access | Device lost, factory reset, or app data deleted. | Use a saved backup recovery key if available, or have your super-administrator revoke and re-enable 2FA from the Staff settings page. |
Related Pages
Login
The primary credential screen — 2FA is triggered immediately after a successful password submission.
Forgot Password
Recover account access if you cannot log in due to a forgotten or expired password.