Multi-Factor Authentication (MFA) Guide

Multi-factor authentication (MFA) adds an extra layer of security to your DNScale account. Even if someone obtains your password, they cannot sign in without access to your second factor. This guide explains how MFA works and how to set it up.

What Is Multi-Factor Authentication?

MFA requires you to verify your identity using two or more independent factors when signing in:

1. Something you know — your password
2. Something you have — a time-based code from an authenticator app, or a hardware security key

By combining these factors, MFA makes unauthorized access significantly harder. A stolen password alone is not enough to compromise your account.

Supported Methods

DNScale supports the following authentication methods:

You can enable both an authenticator app and one or more security keys on the same account. Each method can be used independently to sign in.

Compatible Authenticator Apps

Any app that supports TOTP (Time-based One-Time Passwords) works with DNScale:

• Google Authenticator (Android, iOS)
• Microsoft Authenticator (Android, iOS)
• Authy (Android, iOS, Desktop)
• 1Password
• Bitwarden
• YubiKey Authenticator (with YubiKey hardware)

Compatible Security Keys

Any FIDO2/WebAuthn-compatible device works with DNScale:

• USB security keys — YubiKey 5 series, SoloKey, Nitrokey, Google Titan
• NFC security keys — YubiKey 5 NFC (tap to authenticate on mobile)
• Platform authenticators — Touch ID (macOS), Windows Hello (Windows), Android biometrics

Note: Security key support requires a browser that implements the WebAuthn API. All modern browsers (Chrome, Firefox, Safari, Edge) support it. The option to add a security key will only appear if your browser supports WebAuthn.

Setting Up an Authenticator App (TOTP)

Step 1: Open Security Settings

Sign in to your DNScale dashboard and navigate to Settings. Scroll down to the Security card.

You will see a "Two-Factor Authentication" section showing your current status as Disabled.

Step 2: Start Setup

Click the Enable 2FA button. A setup dialog will appear with a QR code.

Step 3: Scan the QR Code

Open your authenticator app and scan the QR code displayed in the dialog. If you cannot scan the code, click the manual entry option to copy the secret key and enter it in your app manually.

Tip: Make sure the time on your phone is accurate. TOTP codes are time-sensitive, and a clock that is off by more than 30 seconds can cause codes to fail.

Step 4: Enter the Verification Code

Your authenticator app will now show a 6-digit code that refreshes every 30 seconds. Enter the current code in the verification field and click Verify & Enable.

Step 5: Save Your Recovery Codes

After verification, you will be shown 10 recovery codes. These are one-time-use backup codes that let you sign in if you lose access to your authenticator app.

Important: Save these codes now. You will not be able to see them again. Store them in a password manager, print them out, or save them to a secure location.

You can copy all codes to your clipboard or download them as a text file.

Click I've Saved My Codes to complete the setup.

Setting Up a Security Key (WebAuthn)

Step 1: Open Security Settings

Sign in to your DNScale dashboard and navigate to Settings. Scroll down to the Security card.

Step 2: Add a Security Key

In the "Security Keys" section, click Add Security Key. A dialog will appear asking you to name your key.

Step 3: Name Your Key

Enter a descriptive label for your key (e.g., "YubiKey 5", "MacBook Touch ID", "Backup Key"). This helps you identify which key is which if you register multiple keys.

Step 4: Register the Key

Click Register. Your browser will prompt you to interact with your security key:

• USB key (YubiKey, SoloKey): Insert the key and touch the metal contact when it blinks
• Touch ID (macOS): Place your finger on the Touch ID sensor
• Windows Hello: Use your fingerprint, face, or PIN
• NFC key: Tap the key to your device

The registration completes automatically once you interact with the key.

Step 5: Save Your Recovery Codes

If this is your first MFA method, you will be shown 10 recovery codes. Save them in a secure location — they are your backup if you lose access to all your registered keys.

Tip: Register a backup security key in case your primary key is lost or damaged. You can have multiple security keys on your account.

How Login Works

Without MFA (Default)

1. Enter your email and password
2. A 6-digit security code is sent to your email
3. Enter the code (or click the link in the email)
4. You are signed in

With Authenticator App (TOTP Preferred)

1. Enter your email and password
2. You are prompted to enter your authenticator code
3. Open your authenticator app and enter the current 6-digit code
4. You are signed in

No email is sent when TOTP is your preferred method, making sign-in faster and more secure.

With Security Key (WebAuthn Preferred)

1. Enter your email and password
2. You see a "Touch your security key" prompt
3. Insert your key and touch it (or use Touch ID / Windows Hello)
4. You are signed in

The entire sign-in takes just a few seconds — no codes to type.

Switching Methods During Login

On the verification screen, you can switch between available methods:

• Use a security key — switch to WebAuthn authentication
• Use authenticator app — switch to TOTP code entry
• Use email verification instead — fall back to email code
• Use a recovery code — enter a one-time recovery code

Using a Recovery Code

If you cannot access your authenticator app or security key (lost phone, broken key):

1. Enter your email and password
2. On the verification screen, click Use a recovery code
3. Enter one of your saved recovery codes (format: xxxx-xxxx)
4. You are signed in

Each recovery code can only be used once. After using a code, consider regenerating your recovery codes from the dashboard.

Managing Your MFA Settings

Viewing Your Status

Go to Settings > Security to see:

• Whether 2FA is enabled or disabled
• Your preferred verification method
• Registered authenticator app and when it was last used
• Registered security keys with names and last used dates
• How many recovery codes you have remaining (out of 10)

Setting Your Preferred Method

When you have multiple MFA methods enabled, you can choose which one is prompted first during login:

1. Go to Settings > Security
2. Use the preferred method selector to choose between Authenticator App, Security Key, or Email
3. The change takes effect on your next sign-in

You can always switch to a different method from the login screen regardless of your preference.

Managing Security Keys

You can register multiple security keys (recommended for redundancy):

• Each key is listed with its label and last used date
• Click the trash icon next to a key to remove it
• If you remove your last MFA method, two-factor authentication will be fully disabled

Regenerating Recovery Codes

If you have used some recovery codes or suspect they have been compromised:

1. Go to Settings > Security
2. Click Regenerate next to the recovery codes count
3. Confirm the action (this invalidates all existing codes)
4. Save the new set of 10 codes

Disabling 2FA

If you want to remove two-factor authentication:

1. Go to Settings > Security
2. Remove your authenticator app and/or security keys individually
3. When the last MFA method is removed, 2FA is automatically disabled

Your account will revert to email-based verification for sign-in.

Device-Specific Guides

Using Touch ID on Mac

Touch ID acts as a platform authenticator through the WebAuthn standard. Your fingerprint never leaves your Mac — it is verified locally by the Secure Enclave chip, and only a cryptographic proof is sent to DNScale.

Setup:

1. Go to Settings > Security and click Add Security Key
2. Name it something like "MacBook Touch ID" or "iMac Touch ID"
3. Click Register — macOS will show a Touch ID prompt
4. Place your finger on the Touch ID sensor
5. Registration completes instantly

Signing in:

1. Enter your email and password
2. A "Verify your identity" prompt appears — macOS shows the Touch ID dialog
3. Touch the sensor — you are signed in

Tips:

• Touch ID works in Safari, Chrome, and other browsers that support WebAuthn
• If you use multiple Macs, register Touch ID on each one separately — each device has its own Secure Enclave
• If Touch ID fails (e.g., wet finger), you can switch to another method on the login screen
• Touch ID credentials are tied to the specific Mac — if you replace your computer, you will need to register it again

Using a YubiKey

YubiKeys are USB or NFC hardware security keys that provide phishing-resistant authentication. They work by cryptographically verifying the site you are signing in to, so credentials cannot be stolen by fake login pages.

Setup:

1. Insert your YubiKey into a USB port (use a USB-C adapter if needed)
2. Go to Settings > Security and click Add Security Key
3. Name it (e.g., "YubiKey 5 NFC", "Backup YubiKey")
4. Click Register — your browser shows a security key prompt
5. Touch the metal contact on the YubiKey when it blinks
6. Registration completes

Signing in:

1. Enter your email and password
2. Insert your YubiKey when prompted
3. Touch the metal contact — you are signed in

Tips:

• Register at least two YubiKeys — keep one as a backup in a safe place
• YubiKey 5 NFC models also work over NFC on phones — tap the key against the back of your phone
• YubiKeys work across all your devices (unlike Touch ID which is per-machine)
• The YubiKey does not need batteries or charging — it is powered by the USB port
• If you lose a YubiKey, sign in with another method, go to Settings, and remove the lost key immediately

Using an Authenticator App

Authenticator apps generate 6-digit codes that change every 30 seconds. This is called TOTP (Time-based One-Time Password). The code is generated entirely on your device — no internet connection is needed after the initial setup.

Popular apps:

Setup:

1. Install your preferred authenticator app
2. Go to Settings > Security and click Enable 2FA
3. Open your authenticator app and scan the QR code displayed in DNScale
4. If you cannot scan, tap "Can't scan?" to see the secret key and enter it manually
5. Enter the 6-digit code your app shows to verify the setup
6. Save your recovery codes

Signing in:

1. Enter your email and password
2. Open your authenticator app and find the DNScale entry
3. Enter the current 6-digit code — you are signed in

Tips:

• Make sure your phone's clock is set to automatic — TOTP codes depend on accurate time
• If you switch phones, export your authenticator accounts before wiping the old phone (Google Authenticator supports account transfer, Authy syncs automatically)
• Consider using a password manager with built-in TOTP (1Password, Bitwarden) so your codes are backed up and available on all devices
• Screenshot the QR code during setup and save it in your password manager — this lets you re-add the account if you lose your phone without needing to disable and re-enable 2FA

Security Best Practices

• Use a hardware security key for the strongest protection against phishing — WebAuthn cryptographically verifies the site origin, so credentials cannot be replayed on fake sites
• Register a backup security key in case your primary key is lost, stolen, or damaged
• Use a password manager to store your recovery codes securely
• Do not share your TOTP secret key, security keys, or recovery codes with anyone
• Keep your phone's clock accurate — TOTP codes are time-based
• Regenerate recovery codes after using any of them
• Enable 2FA on your email account too — since email is a fallback authentication method, protecting your email adds another layer of defense

Troubleshooting

"Invalid authenticator code"

• Make sure you are entering the code currently displayed in your app (codes change every 30 seconds)
• Check that your phone's clock is set to automatic/network time
• If the problem persists, try removing and re-adding the account in your authenticator app by disabling and re-enabling 2FA in DNScale

Security key not recognized

• Make sure your key is properly inserted in the USB port
• Try a different USB port or use a USB-A adapter if needed
• Check that your browser supports WebAuthn (all modern browsers do)
• On macOS, make sure you have not disabled Touch ID in System Settings
• If using an NFC key, hold it close to the NFC reader for a few seconds

"The operation was cancelled"

• You may have dismissed the browser's security key prompt. Click the verify button again to retry.
• Some browsers time out after about 60 seconds — insert your key and touch it promptly after the prompt appears.

"This security key is already registered"

• The key you are trying to register is already associated with your account. Each physical key can only be registered once per account.

"No recovery codes available"

• All 10 recovery codes have been used. Contact support to regain access to your account.

Lost Authenticator Device

• Use one of your saved recovery codes to sign in
• Or use a registered security key if you have one
• Once signed in, go to Settings and remove the old TOTP method, then set it up again with your new device
• If you have no recovery codes and no other MFA method, contact DNScale support for manual identity verification

Lost Security Key

• Use your authenticator app or email verification to sign in
• Or use a recovery code
• Once signed in, go to Settings and remove the lost key
• Register a new security key if you have a replacement

Codes Expire Too Quickly

TOTP codes are valid for 30 seconds. If your code keeps expiring before you can enter it, check your device's clock synchronization. On most phones, this is under Settings > Date & Time > Automatic.