What if I lose my phone and my recovery codes?

Contact your team's RunTheAgent administrator. An admin can reset your 2FA, allowing you to set it up again with a new device. This is why having at least two administrators with 2FA configured is important.

Can I use 2FA for API access too?

API access uses API keys rather than 2FA. However, you can enforce that API keys are only created by users who have 2FA enabled. This ensures that the person generating the key has a verified identity.

Does 2FA slow down the login process?

Entering a 6-digit code adds about 5 seconds to the login process. With trusted devices configured, you only need to enter the code once every 30 days on your regular device. The security benefit far outweighs this minor inconvenience.

Security

Two-Factor Authentication: Strengthen Access

Add a second authentication factor to your RunTheAgent account so a compromised password alone cannot grant access to your OpenClaw agent.

Deploy OpenClaw See How It Works

What You Will Get

By the end of this guide, all team members accessing your RunTheAgent account will use two-factor authentication (2FA). Even if a password is stolen, the attacker cannot log in without the second factor, which is typically a time-based code from an authenticator app.

2FA is one of the most effective security measures you can implement. It blocks the vast majority of account takeover attacks because attackers rarely have access to both the password and the victim's phone or hardware key.

You will enable 2FA for your own account, enforce it for all team members, configure recovery options, and set up monitoring for authentication events. The result is a significantly harder target for attackers trying to access your agent's configuration and data.

Step-by-Step Setup

Follow these steps to enable and enforce two-factor authentication.

Enable 2FA on Your Own Account

Go to your RunTheAgent account settings and select Security. Click Enable Two-Factor Authentication. The system will display a QR code that you scan with an authenticator app on your phone. After scanning, enter the 6-digit code displayed by the app to confirm setup.

Save Recovery Codes

After enabling 2FA, the system generates a set of recovery codes. These one-time codes let you log in if you lose access to your authenticator app. Save them in a secure location like a password manager or a printed sheet in a locked drawer. Each code can only be used once.

Enforce 2FA for All Team Members

Navigate to the Team Security settings and toggle the 2FA enforcement policy. This requires all existing and new team members to set up 2FA before they can access the dashboard. Set a grace period of 7 days for existing members to comply without losing access.

Configure Allowed Authentication Methods

Choose which 2FA methods your team can use. Options include authenticator apps (TOTP), hardware security keys (WebAuthn), and SMS codes. Authenticator apps and hardware keys are recommended. SMS is less secure due to SIM swapping risks but can be allowed as a fallback.

Set Up Trusted Devices

Configure trusted device settings so team members do not need to enter a 2FA code on every login from their regular devices. A trusted device remembers the second factor for a configurable period, such as 30 days. Untrusted devices always require the full 2FA flow.

Test the Login Flow

Log out and log back in to verify that 2FA is working correctly. After entering your password, you should be prompted for the 6-digit code from your authenticator app. Test a recovery code to confirm it works, then use a fresh code for normal logins going forward.

Monitor Authentication Events

Enable authentication event logging in the audit settings. Review login events weekly, paying attention to failed 2FA attempts, logins from new devices, and logins from unusual locations. These events can indicate a compromised password where the attacker is blocked by 2FA.

Tips and Best Practices

Prefer Hardware Keys Over SMS

Hardware security keys provide the strongest second factor because they are immune to phishing and SIM swapping. If your team handles sensitive data, consider requiring hardware keys for all members.

Back Up Your Authenticator App

Use an authenticator app that supports cloud backup of your TOTP secrets. If your phone is lost or damaged, you can restore your 2FA codes on a new device without needing recovery codes.

Never Share Recovery Codes

Recovery codes are personal to each account. Sharing them defeats the purpose of 2FA. If a team member loses their codes and their authenticator, an administrator can reset their 2FA so they can set it up again.

Audit 2FA Compliance Monthly

Check the team member list monthly to ensure everyone has 2FA enabled. The enforcement policy catches new members, but existing members who somehow bypass it should be identified and reminded to comply.

Frequently Asked Questions

Access Control Session Management Incident Response Plan

Ready to get started?

Deploy your own OpenClaw instance in under 60 seconds. No VPS, no Docker, no SSH. Just your personal AI assistant, ready to work.

Deploy OpenClaw View Pricing

Starting at $24.50/mo. Everything included. 3-day money-back guarantee.