Security
Enable two-factor authentication
Two-factor authentication (2FA) adds a second layer of protection beyond your password. StackBlaze uses TOTP (Time-based One-Time Passwords) per RFC 6238, your authenticator app and StackBlaze both know a shared secret, and they independently compute the same 6-digit code every 30 seconds using HMAC-SHA1 and the current Unix timestamp.
Even if your password is compromised, an attacker cannot sign in without physical access to your authenticator device. We strongly recommend enabling 2FA for all accounts, and it is required for accounts with Owner or Admin roles on production projects.
QR code setup
Recovery codes
Save your recovery codes
These 8 one-time codes let you sign in if you lose your authenticator device. Each code can only be used once. Store them in a password manager or print them and keep them somewhere safe.
After closing this dialog these codes cannot be retrieved. Generate new codes from Account → Security if needed.
Supported authenticator apps
Google Authenticator
iOS & Android
Authy
iOS, Android & Desktop
1Password
iOS, Android, macOS & Windows
Bitwarden
iOS, Android, macOS & Windows
Under the hood
- Encrypted secret storage: your TOTP secret is encrypted with AES-256-GCM before being written to the platform's secrets vault. The plaintext secret never appears in logs, databases, or audit trails.
- HMAC-SHA1 with Unix time: the TOTP algorithm computes
HOTP(secret, floor(time / 30))where HOTP is an HMAC-SHA1 truncated to 6 digits. StackBlaze accepts codes from the previous and next 30-second window to handle clock drift of up to ±30 seconds. - Recovery code hashing: recovery codes are stored as bcrypt hashes, not plaintext. When you use a code, it is marked consumed. Used codes cannot be replayed. You can regenerate a fresh set of 8 codes at any time from Account → Security.
- Session re-verification: privileged actions (changing billing, deleting a project, rotating API keys) require a fresh 2FA code even if your session is already authenticated. This limits the blast radius of a stolen session token.
Step by step
Go to Account → Security
Click your avatar in the top-right corner of the StackBlaze dashboard, then select "Account settings". Navigate to the "Security" tab, you'll see the Two-Factor Authentication section showing its current status as Disabled.
Click "Enable 2FA"
Click the "Enable two-factor authentication" button. StackBlaze generates a unique TOTP secret tied to your account and displays it as both a QR code and a plain-text key for manual entry. This page is only shown once, save the key if you need it.
Scan the QR code with your authenticator app
Open your authenticator app (Google Authenticator, Authy, 1Password, or Bitwarden) and scan the QR code displayed on screen. The app will add a "StackBlaze" entry that generates a new 6-digit code every 30 seconds.
Enter the 6-digit code to verify
Type the current 6-digit code shown in your authenticator app into the verification field and click "Verify". StackBlaze checks the code using the TOTP algorithm (RFC 6238) with a ±1 window to allow for minor clock drift. If the code is wrong, wait for the next 30-second window and try again.
Download and save your recovery codes
After verification, StackBlaze generates 8 one-time recovery codes. Download and store them somewhere safe, a password manager is ideal. Each code can only be used once. If you ever lose access to your authenticator app, a recovery code is the only way back into your account.