Two-Factor Authentication

Setting up TOTP and using hardware tokens.

Two-Factor Authentication (2FA) adds an additional layer of security to your account by requiring a second form of verification in addition to your password. OpenCommit supports Time-based One-Time Passwords (TOTP) and hardware security keys.

Enabling 2FA is required for all users by OpenCommit.

Supported Methods#

OpenCommit supports the following 2FA methods:

  • TOTP (Authenticator Apps)
    Use an app such as:

    • Aegis
    • Google Authenticator
    • Microsoft Authenticator
    • Authy

  • Hardware Security Keys (WebAuthn/FIDO2)
    Examples include:

    • YubiKey
    • SoloKey
    • Nitrokey

Enabling TOTP (Authenticator App)#

  1. Go to your account Settings
  2. Navigate to Security
  3. Locate the Two-Factor Authentication (TOTP) section
  4. Click Enroll into two-factor authentication
  5. Scan the displayed QR code with your authenticator app
  6. Enter the 6-digit code generated by your app
  7. Click Verify
  8. Save your scratch token in a secure location

The scratch token is only displayed once!

Once completed, TOTP can be used during login.

Enabling a Hardware Security Key#

  1. Go to your account Settings
  2. Navigate to Security
  3. Locate the Two-Factor Authentication (Security Keys) section
  4. Enter a recognizable nickname to the key
  5. Click Add security key
  6. Insert your hardware key and follow the browser prompts

While you’ll be able to recover access to your account using TOTP if your key breaks, if you can, you should add at least 2 security keys for redundancy.

Scratch Token#

When enabling 2FA, you will receive a scratch token. This can be used if you lose access to your authenticator or hardware key.

  • Store this code securely (offline is recommended)
  • It can only be used once
  • Generate a new code after using or if it may have been exposed

Logging In with 2FA#

After entering your username and password, you will be prompted to:

  • Enter a TOTP code from your authenticator app, or
  • Use your registered hardware security key

Disabling 2FA#

OpenCommit requires all users to have 2FA enabled.

Troubleshooting#

  • Incorrect codes
    Ensure your device clock is synchronized (automatic time sync recommended)

  • Lost device or key
    Use the scratch token to regain access

  • No scratch token available
    Contact OpenCommit Support

Recommendations#

  • Use a hardware security key where possible
  • Register at least two authentication methods
  • Keep your scratch token offline and secure
  • Avoid storing codes in plain text or shared systems
Calendar May 10, 2026
Edit Edit this page
Backward Account & Security Brand Guidelines Forward
OpenCommit Documentation - © 2025-2026, OpenCommit Foundation. This work is licensed under CC BY-SA 4.0

Fair web analytics Access your usage data