Security

Two-factor authentication and hardware keys

Setting up TOTP, SMS, and FIDO2 hardware keys for your account.

Every KnightsVault account uses two-factor authentication (2FA). Most users also enrol a FIDO2 hardware security key for high-value approvals.

TOTP (authenticator app)

The minimum requirement. Setup:

  1. Profile → Two-Factor Authentication → Generate setup code.
  2. Scan the QR code with an authenticator app:
    • Google Authenticator (iOS, Android)
    • Authy (iOS, Android, desktop)
    • 1Password (subscription required for TOTP)
  3. Enter the 6-digit code from your app to confirm.

Save the backup code shown on screen. It is the only way to recover access if you lose your phone before adding a backup.

SMS OTP

Available as a secondary factor on top of TOTP. Less secure than TOTP (SIM-swap attacks) but useful as a fallback. Configure in Profile → SMS verification.

FIDO2 hardware keys

Required for executives and admin staff who approve withdrawals or participate in MPC ceremonies. Recommended for any account holding significant funds.

Compatible devices:

  • YubiKey 5 series (USB-A, USB-C, NFC)
  • Ledger Stax / Flex with FIDO2 firmware enabled
  • Touch ID on macOS (Safari + supported Macs)
  • Windows Hello on Windows 11

Setup:

  1. Profile → Hardware security keys → Manage hardware keys.
  2. Plug in or activate your key.
  3. Give it a nickname (e.g. "Yubikey 5C office") and click Register.
  4. Touch the key when prompted.

Always register at least two keys — one primary, one offline backup. There is no recovery flow if you lose access to all keys.

Lost device or key

  • Lost phone (TOTP) — log in with your backup code, then re-enable 2FA with a new device.
  • Lost backup code AND phone — contact support; we will guide you through a manual identity check (24–72 hours).
  • Lost hardware key — log in normally and remove the lost key from Manage hardware keys, then register a new one. If it was your only key, contact support.