# Two-Factor Authentication

Users can enable two-factor authentication for their accounts in the `/account/2fa` view**.** Once enabled, the user will be presented with a QR code that they can scan using their authenticator app of choice, such as Google Authenticator.

{% hint style="info" %}
The user's secret (and QR code) is shared across all of their accounts, they don't need to scan a new code for each account they belong to or own. If 2FA is disabled and then re-enabled, they will need to scan the new QR code.
{% endhint %}

2FA works with all the Gravity login flows:

* username and password
* magic links
* social sign-ons

Once a user has signed has completed the first-factor authentication using one of these methods, they will be prompted to enter OTP (verification code) from their authenticator app. This screen has a time-sensitive token (5 mins) created during the first step; this prevents a user from bypassing the first step in the auth flow without a token.

### Setting Your App Name In The Authenticator Apps

To show your application name in the user's authenticator app, simply set the `APP_NAME` env var to the name of your application.