Two-factor authentication — what we offer and why
Two-factor authentication adds a second step to sign-in so that even if your password leaks, an attacker can't get in without your physical device.
Turtini supports three second factors:
1. Authenticator app (TOTP) — a 6-digit code from Google Authenticator, 1Password, Authy, or any RFC 6238-compatible app. Works on every device.
2. Passkeys (WebAuthn) — biometric one-tap sign-in using your device's secure enclave (Face ID, Touch ID, Windows Hello, Yubikey). Stronger than TOTP and faster.
3. Recovery codes — a one-time set of 10 codes you save somewhere safe (password manager, locked drawer). Used when your phone / passkey is lost.
Recommended setup:
• Enroll a passkey on every device you sign in from regularly (laptop, phone, tablet) — they're tied to the device.
• Enroll TOTP as a portable backup for occasional sign-ins from new devices.
• Generate recovery codes once, store them somewhere safe, and forget them — they're for the day you lose everything else.
Where it lives:
Settings → Two-factor authentication. The section shows your current state, lets you enroll, regenerate recovery codes, see trusted devices, and remove factors.
If you signed in with Google:
The "second factor" is your Google account's own 2FA, not a separately-enrolled Turtini one. We honor whatever Google enforces. You can still register a passkey on your Turtini account for one-tap re-entry on the device.
When we ask for the second factor:
On every new device. Once you mark a device as "trust this device for 30 days" we won't ask again on that device for the duration. After 30 days, or if a security event triggers a re-challenge, we'll prompt again.