Multi-Factor Authentication (MFA) Guide

Multi-factor authentication (MFA) adds an extra layer of security to your DNScale account. Even if someone obtains your password, they cannot sign in without access to your second factor. This guide explains how MFA works and how to set it up.

What Is Multi-Factor Authentication?

MFA requires you to verify your identity using two or more independent factors when signing in:

1. Something you know — your password
2. Something you have — a time-based code from an authenticator app, or a hardware security key

By combining these factors, MFA makes unauthorized access significantly harder. A stolen password alone is not enough to compromise your account.

Supported Methods

DNScale supports the following authentication methods:

You can enable both an authenticator app and one or more security keys on the same account. Each method can be used independently to sign in.

Compatible Authenticator Apps

Any app that supports TOTP (Time-based One-Time Passwords) works with DNScale:

• Google Authenticator (Android, iOS)
• Microsoft Authenticator (Android, iOS)
• Authy (Android, iOS, Desktop)
• 1Password
• Bitwarden
• YubiKey Authenticator (with YubiKey hardware)

Compatible Security Keys

Any FIDO2/WebAuthn-compatible device works with DNScale:

• USB security keys — YubiKey 5 series, SoloKey, Nitrokey, Google Titan
• NFC security keys — YubiKey 5 NFC (tap to authenticate on mobile)
• Platform authenticators — Touch ID (macOS), Windows Hello (Windows), Android biometrics

Note: Security key support requires a browser that implements the WebAuthn API. All modern browsers (Chrome, Firefox, Safari, Edge) support it. The option to add a security key will only appear if your browser supports WebAuthn.

Setting Up an Authenticator App (TOTP)

Step 1: Open Security Settings

Sign in to your DNScale dashboard and navigate to Settings. Scroll down to the Security card.

You will see a "Two-Factor Authentication" section showing your current status as Disabled.

Step 2: Start Setup

Click the Enable 2FA button. A setup dialog will appear with a QR code.

Step 3: Scan the QR Code

Open your authenticator app and scan the QR code displayed in the dialog. If you cannot scan the code, click the manual entry option to copy the secret key and enter it in your app manually.

Tip: Make sure the time on your phone is accurate. TOTP codes are time-sensitive, and a clock that is off by more than 30 seconds can cause codes to fail.

Step 4: Enter the Verification Code

Your authenticator app will now show a 6-digit code that refreshes every 30 seconds. Enter the current code in the verification field and click Verify & Enable.

Step 5: Save Your Recovery Codes

After verification, you will be shown 10 recovery codes. These are one-time-use backup codes that let you sign in if you lose access to your authenticator app.

Important: Save these codes now. You will not be able to see them again. Store them in a password manager, print them out, or save them to a secure location.

You can copy all codes to your clipboard or download them as a text file.

Click I've Saved My Codes to complete the setup.

Setting Up a Security Key (WebAuthn)

Step 1: Open Security Settings

Sign in to your DNScale dashboard and navigate to Settings. Scroll down to the Security card.

Step 2: Add a Security Key

In the "Security Keys" section, click Add Security Key. A dialog will appear asking you to name your key.

Step 3: Name Your Key

Enter a descriptive label for your key (e.g., "YubiKey 5", "MacBook Touch ID", "Backup Key"). This helps you identify which key is which if you register multiple keys.

Step 4: Register the Key

Click Register. Your browser will prompt you to interact with your security key:

• USB key (YubiKey, SoloKey): Insert the key and touch the metal contact when it blinks
• Touch ID (macOS): Place your finger on the Touch ID sensor
• Windows Hello: Use your fingerprint, face, or PIN
• NFC key: Tap the key to your device

The registration completes automatically once you interact with the key.

Step 5: Save Your Recovery Codes

If this is your first MFA method, you will be shown 10 recovery codes. Save them in a secure location — they are your backup if you lose access to all your registered keys.

Tip: Register a backup security key in case your primary key is lost or damaged. You can have multiple security keys on your account.

How Login Works

Without MFA (Default)

1. Enter your email and password
2. A 6-digit security code is sent to your email
3. Enter the code (or click the link in the email)
4. You are signed in

With Authenticator App (TOTP Preferred)

1. Enter your email and password
2. You are prompted to enter your authenticator code
3. Open your authenticator app and enter the current 6-digit code
4. You are signed in

No email is sent when TOTP is your preferred method, making sign-in faster and more secure.

With Security Key (WebAuthn Preferred)

1. Enter your email and password
2. You see a "Touch your security key" prompt
3. Insert your key and touch it (or use Touch ID / Windows Hello)
4. You are signed in

The entire sign-in takes just a few seconds — no codes to type.

Switching Methods During Login

On the verification screen, you can switch between available methods:

• Use a security key — switch to WebAuthn authentication
• Use authenticator app — switch to TOTP code entry
• Use email verification instead — fall back to email code
• Use a recovery code — enter a one-time recovery code

Using a Recovery Code

If you cannot access your authenticator app or security key (lost phone, broken key):

1. Enter your email and password
2. On the verification screen, click Use a recovery code
3. Enter one of your saved recovery codes (format: xxxx-xxxx)
4. You are signed in

Each recovery code can only be used once. After using a code, consider regenerating your recovery codes from the dashboard.

Managing Your MFA Settings

Viewing Your Status

Go to Settings > Security to see:

• Whether 2FA is enabled or disabled
• Your preferred verification method
• Registered authenticator app and when it was last used
• Registered security keys with names and last used dates
• How many recovery codes you have remaining (out of 10)

Setting Your Preferred Method

When you have multiple MFA methods enabled, you can choose which one is prompted first during login:

1. Go to Settings > Security
2. Use the preferred method selector to choose between Authenticator App, Security Key, or Email
3. The change takes effect on your next sign-in

You can always switch to a different method from the login screen regardless of your preference.

Managing Security Keys

You can register multiple security keys (recommended for redundancy):

• Each key is listed with its label and last used date
• Click the trash icon next to a key to remove it
• If you remove your last MFA method, two-factor authentication will be fully disabled

Regenerating Recovery Codes

If you have used some recovery codes or suspect they have been compromised:

1. Go to Settings > Security
2. Click Regenerate next to the recovery codes count
3. Confirm the action (this invalidates all existing codes)
4. Save the new set of 10 codes

Disabling 2FA

If you want to remove two-factor authentication:

1. Go to Settings > Security
2. Remove your authenticator app and/or security keys individually
3. When the last MFA method is removed, 2FA is automatically disabled

Your account will revert to email-based verification for sign-in.

Security Best Practices

• Use a hardware security key for the strongest protection against phishing — WebAuthn cryptographically verifies the site origin, so credentials cannot be replayed on fake sites
• Register a backup security key in case your primary key is lost, stolen, or damaged
• Use a password manager to store your recovery codes securely
• Do not share your TOTP secret key, security keys, or recovery codes with anyone
• Keep your phone's clock accurate — TOTP codes are time-based
• Regenerate recovery codes after using any of them
• Enable 2FA on your email account too — since email is a fallback authentication method, protecting your email adds another layer of defense

Troubleshooting

"Invalid authenticator code"

• Make sure you are entering the code currently displayed in your app (codes change every 30 seconds)
• Check that your phone's clock is set to automatic/network time
• If the problem persists, try removing and re-adding the account in your authenticator app by disabling and re-enabling 2FA in DNScale

Security key not recognized

• Make sure your key is properly inserted in the USB port
• Try a different USB port or use a USB-A adapter if needed
• Check that your browser supports WebAuthn (all modern browsers do)
• On macOS, make sure you have not disabled Touch ID in System Settings
• If using an NFC key, hold it close to the NFC reader for a few seconds

"The operation was cancelled"

• You may have dismissed the browser's security key prompt. Click the verify button again to retry.
• Some browsers time out after about 60 seconds — insert your key and touch it promptly after the prompt appears.

"This security key is already registered"

• The key you are trying to register is already associated with your account. Each physical key can only be registered once per account.

"No recovery codes available"

• All 10 recovery codes have been used. Contact support to regain access to your account.

Lost Authenticator Device

• Use one of your saved recovery codes to sign in
• Or use a registered security key if you have one
• Once signed in, go to Settings and remove the old TOTP method, then set it up again with your new device
• If you have no recovery codes and no other MFA method, contact DNScale support for manual identity verification

Lost Security Key

• Use your authenticator app or email verification to sign in
• Or use a recovery code
• Once signed in, go to Settings and remove the lost key
• Register a new security key if you have a replacement

Codes Expire Too Quickly

TOTP codes are valid for 30 seconds. If your code keeps expiring before you can enter it, check your device's clock synchronization. On most phones, this is under Settings > Date & Time > Automatic.