CodeHero supports optional Two-Factor Authentication using Google Authenticator or any TOTP-compatible app.
- TOTP-based 2FA - Works with Google Authenticator, Authy, Microsoft Authenticator, etc.
- Account Lockout - Automatic lockout after 5 failed login attempts (30 min)
- Remember Device - Skip 2FA on trusted devices until end of month
- Terminal Management - Enable/disable 2FA from command line
sudo /opt/codehero/scripts/manage-2fa.shSelect option 1. Enable 2FA
A QR code will appear in the terminal. Scan it with your authenticator app:
- Google Authenticator (Android/iOS)
- Authy (Android/iOS/Desktop)
- Microsoft Authenticator (Android/iOS)
Or manually enter the secret code shown below the QR.
Enter the 6-digit code from your authenticator app to verify:
Enter 6-digit code to verify: 482910
✓ 2FA enabled successfully!
Next time you login:
- Enter username and password
- Enter the 6-digit code from your authenticator
- (Optional) Check "Remember this device" to skip 2FA until end of month
sudo /opt/codehero/scripts/manage-2fa.sh┌─────────────────────────────────────────┐
│ CodeHero 2FA Management │
├─────────────────────────────────────────┤
│ Status: OFF │
├─────────────────────────────────────────┤
│ 1. Enable 2FA (show QR code) │
│ 2. Disable 2FA │
│ 3. Reset 2FA (new QR code) │
│ 4. Unlock account │
│ 5. Show status │
│ 6. Exit │
└─────────────────────────────────────────┘
# Enable 2FA
sudo /opt/codehero/scripts/manage-2fa.sh enable
# Disable 2FA
sudo /opt/codehero/scripts/manage-2fa.sh disable
# Reset 2FA (generate new QR code)
sudo /opt/codehero/scripts/manage-2fa.sh reset
# Unlock account after failed attempts
sudo /opt/codehero/scripts/manage-2fa.sh unlock
# Show current status
sudo /opt/codehero/scripts/manage-2fa.sh statusIf you enter the wrong password 5 times, the account locks for 30 minutes.
sudo /opt/codehero/scripts/manage-2fa.sh statusCodeHero Authentication Status
==================================================
2FA Status: Enabled ✓
Account Status: Locked (unlocks in 25 min)
Failed Attempts: 5/5
sudo /opt/codehero/scripts/manage-2fa.sh unlock✓ Account unlocked.
Failed attempts reset to 0.
When logging in with 2FA, you can check "Remember this device":
- The device is trusted until the end of the current month
- No 2FA code required for subsequent logins
- Automatically expires and requires 2FA again next month
- Login with username + password
- Enter 2FA code
- Check "Remember this device"
- Click Verify
A secure cookie is set that expires at month end.
If you lose your phone or can't access your authenticator app:
SSH into the server and run:
sudo /opt/codehero/scripts/manage-2fa.sh disableThen re-enable and scan a new QR code.
sudo /opt/codehero/scripts/manage-2fa.sh disableYou can now login with just username and password.
- Enable 2FA - Adds an extra layer of security
- Use a reputable authenticator app - Google Authenticator, Authy, etc.
- Don't share your secret - The QR code/secret is sensitive
- Backup your authenticator - Some apps support cloud backup
- Use strong passwords - 2FA is not a substitute for good passwords
- Make sure your phone's time is correct (TOTP is time-based)
- Wait for a new code if current one is about to expire
- Verify you're using the correct authenticator entry
sudo /opt/codehero/scripts/manage-2fa.sh unlockEnter the secret code manually in your authenticator app:
- Select "Enter manually" or "Add account"
- Account name:
admin - Secret key: (the code shown below QR)
- Type: Time-based (TOTP)
# Disable 2FA
sudo /opt/codehero/scripts/manage-2fa.sh disable
# Unlock account
sudo /opt/codehero/scripts/manage-2fa.sh unlock
# Re-enable fresh
sudo /opt/codehero/scripts/manage-2fa.sh enable