Two-Factor Authentication

Overview

Two-Factor Authentication (2FA) adds a second layer of security to your admin account. After enabling it, logging in requires both your password and a time-based one-time code generated by an authenticator app on your phone. Even if your password is compromised, an attacker cannot access your account without the code from your device.

ISPBills supports any TOTP-compatible authenticator app, including:

  • Google Authenticator (Android / iOS)
  • Authy (Android / iOS / Desktop)
  • Microsoft Authenticator

Enabling 2FA

  1. Navigate to Settings → Two Factor (or Settings → Two Factor Authentication).
  2. A QR code is displayed on the page along with a manual setup key.
  3. Open your authenticator app on your phone.
  4. Tap Add Account or the + icon and choose Scan a QR code.
  5. Point your phone's camera at the QR code on screen. The account is added to your app immediately.
  6. Your app will begin displaying a 6-digit code that refreshes every 30 seconds.
  7. Enter the current 6-digit code from your app into the Verification Code field on the ISPBills page.
  8. Click Enable or Confirm.
  9. 2FA is now active. A success message confirms this.

Important: After enabling 2FA, store the backup/recovery codes (if provided) in a safe place. These allow you to regain access if you lose your phone.

Logging in with 2FA Enabled

Once 2FA is active, the login process changes:

  1. Enter your username and password as usual.
  2. A second screen prompts you to Enter your 2FA code.
  3. Open your authenticator app, find the ISPBills entry, and enter the current 6-digit code.
  4. Click Verify. You are logged in.

The code changes every 30 seconds. If the code is rejected, wait for the next code to appear in your app and try again.

Disabling 2FA

If you need to turn off two-factor authentication:

  1. Log in to your account (you will need your current 2FA code to do so).
  2. Navigate to Settings → Two Factor.
  3. Click Disable Two Factor Authentication.
  4. You may be asked to enter your password or current 2FA code to confirm the action.
  5. 2FA is disabled. Future logins will require only your password.

Recommendation: Only disable 2FA temporarily if necessary. Keeping 2FA enabled significantly reduces the risk of unauthorised access to your ISP management system.