Two-factor authentication (2FA) adds a second verification step after you enter your password. Doss supports two 2FA methods. You can switch between them at any time from your profile settings.
2FA must be enabled system-wide by an administrator under Preferences before users can configure it. When the two_step_verification preference is Enabled, the 2FA settings appear in your profile.
Available methods
SMS OTP
Google Authenticator
An SMS one-time password (OTP) is a 6-digit code sent to your registered phone number. The code is generated fresh each time you log in or switch to this method.Requirements:
- A verified phone number must be saved on your account before you can enable this method.
- The platform SMS gateway (e.g. Twilio) must be configured and active by an admin.
How it works:Go to 2FA settings
Navigate to your profile and open the Two-Factor Authentication section at profile/two-fa.
Select Phone as your 2FA method
Choose Phone from the method selector. If no phone number is on your account, you are prompted to add one first.The system verifies that your account has a carrierCode and phone set:// Response when phone is not set
{ "status": false, "message": "Please set your phone number first!" }
Receive and enter the OTP
A 6-digit code is sent to your phone number via SMS. Enter the code in the verification field on screen.The OTP is stored against your account in user_details.two_step_verification_code until used.
Confirm and save
Once the code is verified, user_details.two_step_verification is set to 1 and two_step_verification_type is set to phone. SMS OTP is now your active 2FA method.
- Enter your email/phone and password as usual.
- After successful password check, you are redirected to the 2FA verification screen.
- A new OTP is sent to your phone.
- Enter the code. On success, a
2fa key is placed in the session and you are admitted to the dashboard.
Remember this device:
You can check Remember me on this device during verification. The platform records your browser fingerprint in device_logs. On subsequent logins from the same browser, you skip the 2FA prompt. Google Authenticator generates time-based one-time passwords (TOTP) in an authenticator app on your phone. No SMS is required — codes are generated offline every 30 seconds.Requirements:
- Google Authenticator (or any TOTP-compatible app such as Authy or 1Password) installed on your phone.
Setup:Go to 2FA settings
Navigate to your profile and open the Two-Factor Authentication section at profile/two-fa.
Select Google Authenticator
Choose Google Authenticator from the method selector. The platform generates a new TOTP secret key using the pragmarx/google2fa library and returns a QR code inline image.// Response
{
"status": true,
"secret": "BASE32SECRETKEY",
"QR_Image": "<svg ...>",
"twoFaVerificationTypeForResponse": "google_authenticator"
}
Scan the QR code
Open your authenticator app and scan the QR code displayed on screen. The entry will be labelled with your Doss account email and the platform name.If your app does not support QR scanning, enter the secret key shown below the QR code manually.
Enter the 6-digit code
Your authenticator app displays a 6-digit code that changes every 30 seconds. Enter the current code in the verification field to confirm that setup was successful.The platform verifies the code using:$valid = $google2fa->verifyKey($user->google2fa_secret, $secret);
Save
On successful verification, your google2fa_secret is saved to your user record and two_step_verification_type is set to google_authenticator. Setup is complete.
- Enter your email/phone and password as usual.
- After successful password check, you are redirected to the Google Authenticator verification screen at
setting/google2fa-verify.
- Open your authenticator app and enter the current 6-digit code.
- On success, the
google2fa session key is cleared, a 2fa key is placed in the session, and you are admitted to the dashboard.
Remember this device:
Checking Remember me during verification logs your browser fingerprint in device_logs. Subsequent logins from the same browser skip the TOTP prompt. Switching methods
You can switch between SMS OTP and Google Authenticator at any time from profile/two-fa. When you select a different method:
- The platform sends a verification challenge using the new method.
- You enter the code to confirm the switch.
user_details.two_step_verification_type is updated to the newly selected method.
Switching does not disable 2FA — it changes the active method.
Disabling 2FA
To disable 2FA entirely:
- Open
profile/two-fa.
- Deselect your current method (set
two_step_verification_type to null or the disabled state).
- Confirm the change.
user_details.two_step_verification is set to 0.
Disabling 2FA reduces the security of your account. Only do this if you no longer have access to your phone or authenticator app. Contact support if you are locked out.
Recovery options
Doss does not currently generate one-time recovery codes. If you lose access to your 2FA method:
- SMS OTP: Contact support to update your phone number. An admin can clear the
two_step_verification_type from your account.
- Google Authenticator: If you lose your device, contact support. An admin can clear the
google2fa_secret field on your account, which removes the Google Authenticator binding and allows you to set up a new one.
If you are a Doss user (type = 'doss'), there is a separate 2FA management page at /doss/2fa. The setup and verification flow is the same as described above.
