2 Factor Authentication (2FA) adds an extra security step when signing in to your Loophole account. After you enter your password, you'll also enter a 6-digit code - so even if someone gets your password, they can't sign in without your second factor.
You can set up 2FA from Settings → Security.
Loophole supports three 2FA methods:
Authenticator App - Use Google Authenticator, 1Password, Authy, or another TOTP app
Email Code - Receive a one-time code at your account email
SMS Code - Receive a one-time code at your account phone number
You can only have one method active at a time, but you can switch between methods at any point.
Before you start
You'll need access to whichever method you're setting up - your phone for an authenticator app, your inbox for email codes, or your registered phone for SMS.
If you don't see the SMS Code option, your account doesn't have a verified, SMS-opted-in phone number on file yet. You can add one from the Account and Notifications tabs.
Your 2FA card shows an Off badge in the corner. Once any method is enabled, that badge switches to Enabled.
Option 1: Authenticator App (recommended)
An authenticator app generates a fresh 6-digit code every 30 seconds, right on your phone - no internet or text message required to get the code.
Go to Settings → Security
In the 2 Factor Authentication card, click Setup next to Authenticator App
Open your authenticator app (Google Authenticator, 1Password, Authy, etc.) and add a new account
Scan the QR code shown on the page
Or, if you can't scan, click Manual Setup Key to reveal a setup key you can copy and paste into your app instead.Your app will start showing a 6-digit code that refreshes every 30 seconds
Type the current code into the 6-Digit Code field on Loophole
Click Enable Authenticator App
You're done. The 2FA card will now show Enabled, with Authenticator App listed as your current method.
Tip: We recommend the authenticator app option because it works even when you don't have cell service or email access.
Option 2: Email Code
A one-time 6-digit code is sent to your account email each time you sign in.
Go to Settings → Security
In the 2 Factor Authentication card, click Setup next to Email Code
Loophole immediately sends a 6-digit setup code to your account email
Open your inbox, copy the code, and enter it in the 6-Digit Code field
Click Submit
You're done. The card now shows Enabled with Email Code as your current method.
If the code doesn't arrive:
Check your spam/junk folder
Wait for the Resend Code button to become active (60-second cooldown), then click it
The code expires after 10 minutes - if it does, just request a new one
Option 3: SMS Code
A one-time 6-digit code is sent by text message to the phone number on your account.
Go to Settings → Security
In the 2 Factor Authentication card, click Setup next to SMS Code
Loophole immediately texts a 6-digit setup code to your registered phone number
Enter the code in the 6-Digit Code field
Click Submit
You're done. The card now shows Enabled with SMS Code as your current method.
If the text doesn't arrive:
Make sure your phone has signal and isn't blocking shortcodes
Wait for the Resend Code button to become active (60-second cooldown), then click it
The code expires after 10 minutes - if it does, just request a new one
Note: Standard message and data rates may apply, depending on your carrier and plan.
What happens when you sign in
Once 2FA is enabled, signing in to Loophole takes one extra step:
Enter your email and password as usual
You'll be prompted for your 6-digit code
Open your authenticator app, email, or texts (depending on your method) and enter the code
You're signed in
The verification screen also includes a Resend Code button (for Email Code and SMS Code) with a 60-second cooldown if the first code doesn't arrive.
How to switch to a different method
You can change methods at any time without turning 2FA off in between.
Go to Settings → Security
In the 2 Factor Authentication card, you'll see your current method plus buttons for the other available methods - for example, Switch to Email Code or Switch to SMS Code
Click the method you want to switch to
Complete the same setup steps you used the first time (scan a QR code or enter a one-time code)
Once you successfully verify the new method, it replaces the old one. There's no gap - 2FA stays on the entire time.
How to turn off 2FA
Go to Settings → Security
In the 2 Factor Authentication card, click Turn Off 2FA
A confirmation appears: "Turning off 2FA removes the extra sign-in step from your account."
Click Confirm - Turn Off
The card switches back to Off and all three methods become available to set up again.
We strongly recommend keeping 2FA enabled. Turning it off means your account is protected by your password alone.
Troubleshooting
My code says "expired" or "invalid"
Codes from Email Code and SMS Code expire 10 minutes after they're sent. Authenticator app codes refresh every 30 seconds. If your code is rejected, request or pull a fresh one and try again.
The Resend Code button is greyed out
There's a 60-second cooldown between resends to prevent abuse. The button will become active automatically once the timer ends.
I've tried too many codes and the page told me to start over
For your account's safety, the setup session resets after a number of incorrect attempts. Click Cancel, then click Setup again to start fresh.
I don't see the SMS Code option
SMS Code only appears once you have a verified phone number on file and SMS consent enabled. If SMS consent is disabled, you will see a banner in your SMS Logs with instructions on how to re-enable texts.
I can't access my 2FA method anymore
See: I lost access to my 2FA method - how do I get back in?