Clickport
Start free trial
Dashboard Engagement Tracking Session Tracking Goal Conversions Filtering & Segments Privacy First Real-Time Analytics Bot Protection vs Google Analytics vs Matomo vs Cloudflare All comparisons
For Bloggers For Publishers For Affiliates For E-commerce For SaaS For Agencies
How It Works Blog Updates Documentation UTM Builder GDPR Checker GA4 Data Loss Estimator GA Legal Status GA Problems WordPress Analytics Bot Traffic AI Traffic Ecommerce Analytics Comparisons WordPress Custom Events About Contact Status

Two-factor authentication

Two-factor authentication (2FA) adds a second step to password logins. After you enter your email and password, Clickport asks for a 6-digit code from an authenticator app on your phone. Even if someone gets your password, they cannot sign in without the code.

2FA is opt-in. Enable it from Security settings, in the "Two-factor authentication" card.

Enabling 2FA

  1. Open your authenticator app. Any TOTP-compatible app works: 1Password, Authy, Google Authenticator, Microsoft Authenticator, Bitwarden, Aegis.
  2. On the Two-factor authentication card, click Enable 2FA. A modal opens with a QR code and a manual code.
  3. Scan the QR code in your authenticator app, or paste the manual code into it.
  4. Enter the 6-digit code your app shows. Click Verify and enable.
  5. Save the 10 recovery codes that appear next. Use the Copy button or the Download .txt button. This is the only time you will see them. Store them in a password manager or a secure note.
  6. Click I've saved them to close the modal. The card now shows a green "Enabled" badge.

You will get a confirmation email saying 2FA was enabled.

Signing in with 2FA

Once enabled, the password sign-in flow has one extra step:

  1. Enter email and password as usual.
  2. The page swaps to a "Two-factor authentication" prompt.
  3. Open your authenticator app, read off the current 6-digit code, type it in, and click Verify.

Codes refresh every 30 seconds. We accept the previous, current, and next code, so a small clock drift on your device is fine. Each accepted code is then locked out from re-use within its window.

Recovery codes

You get 10 recovery codes when you enable 2FA. Each works exactly once. Use them when you do not have your authenticator app, for example after losing your phone.

Using a recovery code at sign-in

On the 2FA prompt, click Use a recovery code instead. The input switches from numeric to alphanumeric. Type one of your saved codes and click Verify. The code is consumed (deleted) on success and cannot be used again.

Low-codes warning

When 2 or fewer recovery codes remain, a banner appears on your dashboard prompting you to regenerate. You can keep using the account normally, but you should generate fresh codes soon.

Regenerating recovery codes

On the Two-factor authentication card, click Regenerate recovery codes. Confirm with your password. We replace all of your existing codes with 10 new ones and show them once. Old codes immediately stop working.

OAuth logins do not require 2FA

If you sign in with Google or GitHub, Clickport does not prompt for a 2FA code, even when 2FA is enabled on your account. The OAuth provider has already verified your identity (and is responsible for its own MFA). Adding a second step here would be redundant.

If 2FA matters to you, make sure your Google or GitHub account itself has strong account security enabled. Disconnecting OAuth from Connected accounts will close that bypass and force every sign-in through password + 2FA.

Disabling 2FA

On the Two-factor authentication card, click Disable 2FA. Confirm with your account password. We:

  • Clear your TOTP secret, so the QR code in your authenticator app stops working for our account.
  • Delete all of your recovery codes.
  • Send a confirmation email so you know it happened, even if it was someone else.

Disabling and re-enabling later generates a fresh secret and a fresh batch of 10 recovery codes. Your old QR/codes stay invalid.

Lost authenticator and lost recovery codes

If you have lost both your authenticator device and your recovery codes, contact support@clickport.io. We will verify your identity and clear 2FA from your account so you can sign in and re-enroll.

There is no automated unlock path. We do this manually on purpose: if a self-serve "I lost my codes" reset existed, it would itself be the weakest link.

Password reset does not bypass 2FA. Resetting your password from a "Forgot password?" email is not enough on its own. After resetting, you still need your authenticator code (or a recovery code) at the next sign-in. This protects accounts where the email itself has been compromised.

Where 2FA does and does not apply

  • Password sign-in: 2FA prompt is required.
  • OAuth sign-in (Google or GitHub): 2FA is bypassed by design.
  • Password reset: 2FA is still required at the next sign-in after the reset.
  • API keys: not affected. Per-site API keys are independent of your account password and 2FA.
Previous Bot Management