Two-factor authentication (2FA) means even if someone guesses your password, they still can't sign in without a code from your phone. It takes 90 seconds to set up and saves a lot of pain later.
Enable 2FA
Open Settings → Security
Tap Enable two-factor authentication
PopIn confirms your password before showing the QR code.
Scan the QR code
Use any authenticator app: Google Authenticator, 1Password, Authy, Bitwarden, etc.
Type the 6-digit code
From your authenticator. PopIn verifies and marks 2FA as enabled.
Save your backup codes
You get ten one-time codes. Each works once for sign-in if you lose your authenticator. Save them somewhere safe.
If you lose access to your authenticator AND your backup codes, only support can help, and the verification process is slow on purpose (24-48 hours). Save your backup codes properly.
Backup codes - what to do with them
| Recommended | Don't |
|---|---|
| Save in a password manager | Email them to yourself |
| Print and stash in your wallet | Take a screenshot and leave it in Photos |
| Note app you'd never lose access to | Save them in PopIn itself |
Trusted devices
When you tick "Trust this device for 90 days" on the sign-in verification screen, PopIn skips the TOTP prompt on that browser for 90 days. The trust expires automatically. You can revoke a trusted device early from Settings → Security → Trusted devices.
Don't tick "Trust this device" on public computers or shared devices.
What 2FA protects against
2FA protects against password-stolen attacks (someone has your password and tries to sign in). It does NOT protect against compromised sessions (someone steals your active session cookie from your own device), and it doesn't replace good password hygiene - pick a strong, unique password regardless.
Replacing your authenticator
If you got a new phone or your authenticator was compromised: sign in with a backup code, then go to Settings → Security → Replace authenticator. PopIn walks you through disable + re-setup with the new device and issues a fresh set of backup codes. The old ones become invalid.