Customer Docs / Account Creation / MFA & Security
MFA & Security

Two-factor authentication (MFA) is required for every customer account. You set it up during first sign-in, and from then on every sign-in needs your password plus a second factor.

Why we require it

A password alone isn't enough protection. Most account compromises happen because a password got leaked or guessed somewhere else; a second factor — something tied to your phone or a physical key — stops the leak from turning into a sign-in.

Because the portal holds your invoices, payment links, service configurations, and the shared Drive with your project files, this protection matters more than for a generic web account.

Methods we support

You can use any of these. Most customers pick the first.

Authenticator app (TOTP)

A 6-digit code that rotates every 30 seconds, generated by an app on your phone. Free, works offline.

  • Apps: Google Authenticator, 1Password, Authy, Bitwarden, Microsoft Authenticator.
  • Setup: scan the QR code shown on screen with the app. Enter the 6-digit code the app shows to confirm.
  • Day-to-day: open the app at sign-in, type the current 6 digits.

Email code

A one-time code sent to your registered email each time you sign in.

  • Easiest to set up — nothing new to install.
  • Weakest of the options: anyone with access to your email can sign in. Better than nothing, but reach for one of the others if you can.
  • Best used as a backup factor next to a stronger primary.

SMS code

A one-time code sent by text message to your registered phone number.

  • Familiar from other services that use SMS.
  • Requires a working mobile signal at sign-in time. Travelling on a different SIM, sitting in a basement office, or losing your number all break it.
  • Don't enable as your only method if your phone number isn't reliably reachable.

Security key

A physical USB or NFC key — YubiKey, Titan, SoloKey, and similar — that you tap or insert when prompted.

  • Strongest of the four: nothing to phish, nothing to type.
  • One-off cost (~€25-€60 per key). Worth it if you sign in to several work accounts daily.
  • Buy two if you go this route — one for daily use, one stored somewhere safe as backup.

Adding a second method (recommended)

You can register more than one factor — for example, an authenticator app on your phone and a security key on your keyring. A second method is your safety net if you lose access to the first.

To add one, sign in as usual, then open your Security settings (top-right menu → Security on secure.dmu.gr). Follow the on-screen setup for the new method.

Save your recovery info during setup

Whichever method you pick the first time, save a way to get back in if the device is lost:

  • Authenticator app — save the QR code (or the secret it encodes) to a password manager when you set it up. Without it you can't migrate to a new phone yourself.
  • Email code — make sure you can still access that email from a device other than the one you'd normally sign in from.
  • SMS code — keep the phone number up to date in your profile. If you change it, update the portal before switching SIM.
  • Security key — register a second key on the same account and store it somewhere safe (a drawer at home, a safe deposit box). Losing your only key locks you out.

I've lost access to my second factor

Reach out. We can disable your existing MFA on our side after verifying who you are, so you can sign in and set up a new method.

We cannot retrieve a lost authenticator secret or security key — the only path forward is to remove the old factor and add a new one. This is a feature, not a limitation: if we could retrieve your secret, so could anyone else with access to our systems.

← Previous First Sign-In Next → Setting Your Password