Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Two-Factor Authentication

            Modified on Mon, 27 Apr at 3:10 PM

            Two-factor authentication (2FA) adds a second step to login — after the password, you enter a six-digit code from an authenticator app on your phone. It's the single most effective protection against compromised passwords. This guide covers turning it on for your own account and recommending it for owners and admins.

            Why 2FA matters here

            Booking Phoenix has access to your bookings, customer data, payment records, and the ability to issue refunds and edit financial settings. A compromised owner account is a serious incident. 2FA means even a stolen password isn't enough to log in — the attacker also needs the device that has the authenticator app.

            At minimum, every Owner and Manager account should have 2FA enabled. For front-desk-only accounts the case is weaker but still worth doing.

            Setting up 2FA on your account

            1. Install an authenticator app

            Pick one and install it on your phone:

            • Google Authenticator — simple, no account needed.
            • Microsoft Authenticator — if your team uses Microsoft 365.
            • Authy — backs up codes to the cloud, useful if you change phones often.
            • 1Password / Bitwarden — if you already use a password manager that supports TOTP, store the code there alongside the password.

            Any TOTP-compatible app works. Don't use SMS-based 2FA — SIM swaps make it weaker than the alternatives.

            2. Open your profile

            Click your avatar in the top right and choose My Profile. Scroll to the security section and click Set up 2FA.

            3. Scan the QR code

            The setup screen shows a QR code. Open your authenticator app and scan it. The app adds Booking Phoenix to its list and starts showing a six-digit code that rotates every 30 seconds.

            4. Enter the current code

            Type the current six-digit code from your app into the setup form and click Verify. If it matches, 2FA is now active on your account.

            5. Save the recovery codes

            You'll see a list of one-time recovery codes — ten or so backup codes you can use if you lose your phone. Save them somewhere safe — a password manager, a printed copy in your office safe, or both. If you lose your phone and your recovery codes, you'll need a tenant admin to reset 2FA for you.

            Logging in with 2FA enabled

            Same as before, with one extra step:

            1. Enter email and password as normal.
            2. Booking Phoenix asks for a six-digit code.
            3. Open your authenticator app and type in the current code.
            4. Submit — you're in.

            Codes rotate every 30 seconds. If your code expires while you're typing it, the next one appears in the app immediately — just use that one.

            If you lose your phone

            You have three escalation paths:

            1. Use a recovery code. Each code works once. Type one into the 2FA prompt instead of the rotating code.
            2. Restore the authenticator from backup. If you used Authy, Microsoft Authenticator, or a password manager with cloud sync, install the app on a new phone and your codes restore automatically.
            3. Ask a tenant admin to reset 2FA on your account. They'll disable 2FA for you, you log in, and you set it up again on the new device.

            Resetting 2FA for another user (admin)

            If a staff member loses their phone and recovery codes:

            1. Go to Users and open their profile.
            2. Click Reset 2FA.
            3. Confirm. The user's 2FA is disabled; on next login they enter only their password.
            4. Tell them to set up 2FA again from their profile as soon as they log in.

            This action is logged in the audit log so it's traceable.

            Recommendations by role

            Role2FA recommendation
            OwnerRequired. Highest blast radius if compromised.
            ManagerRequired. Can refund and reset 2FA for other users.
            Front Desk / Game MasterRecommended — especially if they take card payments or access customer records.
            Read-only / reporting accountsOptional. Lower risk, but easy to enable so why not.

            Common pitfalls

            • Lost recovery codes. The most common 2FA support ticket. Save them to a password manager when you set up — future you will thank present you.
            • Phone clock skew. TOTP codes are time-based. If your phone's clock is wrong by more than 30 seconds, codes won't match. Make sure auto-set-time is on.
            • One person knows everyone's codes. Defeats the purpose. Each person installs and manages their own.
            • SMS 2FA. If your authenticator app offers SMS as a fallback, don't enable it. SIM swaps and number-porting attacks are real.

            Tenant-wide enforcement

            Owners can require 2FA tenant-wide, so any user without 2FA is forced to set it up on next login. Talk to support if you want this turned on. Worth doing for any tenant with more than a couple of staff or any meaningful customer database.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0