--- icon: shield-check --- # MFA & Security Two-factor authentication (MFA) is **required** for every customer account. You set it up during first sign-in, and from then on every sign-in needs your password plus a second factor. ## Why we require it A password alone isn't enough protection. Most account compromises happen because a password got leaked or guessed somewhere else; a second factor — something tied to your phone or a physical key — stops the leak from turning into a sign-in. Because the portal holds your invoices, payment links, service configurations, and the shared Drive with your project files, this protection matters more than for a generic web account. ## Methods we support You can use any of these. Most customers pick the first. ### Authenticator app (TOTP) A 6-digit code that rotates every 30 seconds, generated by an app on your phone. Free, works offline. - Apps: **Google Authenticator**, **1Password**, **Authy**, **Bitwarden**, **Microsoft Authenticator**. - Setup: scan the QR code shown on screen with the app. Enter the 6-digit code the app shows to confirm. - Day-to-day: open the app at sign-in, type the current 6 digits. ### Email code A one-time code sent to your registered email each time you sign in. - Easiest to set up — nothing new to install. - Weakest of the options: anyone with access to your email can sign in. Better than nothing, but reach for one of the others if you can. - Best used as a backup factor next to a stronger primary. ### SMS code A one-time code sent by text message to your registered phone number. - Familiar from other services that use SMS. - Requires a working mobile signal at sign-in time. Travelling on a different SIM, sitting in a basement office, or losing your number all break it. - Don't enable as your *only* method if your phone number isn't reliably reachable. ### Security key A physical USB or NFC key — YubiKey, Titan, SoloKey, and similar — that you tap or insert when prompted. - Strongest of the four: nothing to phish, nothing to type. - One-off cost (~€25-€60 per key). Worth it if you sign in to several work accounts daily. - Buy two if you go this route — one for daily use, one stored somewhere safe as backup. ## Adding a second method (recommended) You can register more than one factor — for example, an authenticator app on your phone *and* a security key on your keyring. A second method is your safety net if you lose access to the first. To add one, sign in as usual, then open your **Security settings** (top-right menu → **Security** on secure.dmu.gr). Follow the on-screen setup for the new method. ## Save your recovery info during setup Whichever method you pick the first time, save a way to get back in if the device is lost: - **Authenticator app** — save the QR code (or the secret it encodes) to a password manager when you set it up. Without it you can't migrate to a new phone yourself. - **Email code** — make sure you can still access that email from a device other than the one you'd normally sign in from. - **SMS code** — keep the phone number up to date in your profile. If you change it, update the portal before switching SIM. - **Security key** — register a second key on the same account and store it somewhere safe (a drawer at home, a safe deposit box). Losing your only key locks you out. ## I've lost access to my second factor [Reach out](../help-and-support/how-to-reach-us). We can disable your existing MFA on our side after verifying who you are, so you can sign in and set up a new method. We **cannot** retrieve a lost authenticator secret or security key — the only path forward is to remove the old factor and add a new one. This is a feature, not a limitation: if we could retrieve your secret, so could anyone else with access to our systems.