Turn on two-factor authentication (2FA)

Two-factor authentication (2FA) protects your account by requiring a fresh 6-digit code from your phone every time you sign in. Even if someone learns your password, they can't get in without your phone. Setting it up takes about two minutes.

Which apps work

Any standard authenticator app works — they all use the same open standard (RFC 6238 TOTP), so the choice is yours:

• Google Authenticator (iPhone, Android)
• Microsoft Authenticator (iPhone, Android)
• 1Password (all platforms)
• Authy (iPhone, Android, desktop)
• Bitwarden (all platforms)
• FreeOTP (open-source, Android, iPhone)

If you already use one for another service (your bank, your work email, GitHub), use the same one — there's no benefit to running two.

Turn it on

1. Sign in to AgroYield Network.
2. Click your avatar at the top-right, then choose Security. (Or visit /account/security directly.)
3. Click Enable two-factor authentication.
4. A QR code appears. Open your authenticator app, tap the "+" or "Add account" button, and scan the QR code with your phone's camera.
5. Your app will show a 6-digit code that changes every 30 seconds. Type the current code into the Verify & enable field and click the button.
6. You're done. The page will show a green Active pill.

If your phone can't scan the QR code (rare, but possible with some authenticator apps), click Can't scan? Enter the key manually below the QR — the page reveals the setup key as text + your account email. Type those into your authenticator app's manual-setup screen.

What changes after you turn it on

The next time you sign in, after entering your password (or signing in with Google), you'll see a small "Verify it's you" page asking for a 6-digit code. Open your authenticator app, find AgroYield Network in the list, and type in the current code. You're back to the dashboard.

The code your authenticator shows changes every 30 seconds. If you mistype or your code expires before you submit, the page will let you try again with the next one.

Turn it off

If you ever want to disable 2FA — for example, if you're switching phones and need to re-enrol later:

1. Visit Security in the user menu.
2. Click Disable two-factor.
3. Confirm the warning. 2FA turns off immediately.

You can re-enable it any time by repeating the setup steps.

Switching phones

If you're moving to a new phone, the safest path is:

1. Before wiping your old phone, sign in to AgroYield Network on a laptop or desktop browser, disable 2FA, then enrol again on the new phone.
2. If you've already lost access to your old phone, email support@agroyield.africa from your account email — we'll verify your identity and reset the factor manually.

We recommend always keeping a second authenticator (e.g. on a tablet or partner's phone) registered alongside your main one. If you only have 2FA on a single phone and lose that phone, you'll need to go through support to regain access.

What 2FA does NOT protect against

2FA is one layer; here's what it covers and what it doesn't:

• ✅ Protects against: someone guessing or stealing your password.
• ✅ Protects against: automated credential-stuffing attacks where attackers try leaked passwords from other sites.
• ❌ Doesn't protect against: phishing pages that ask you for both your password AND your 2FA code in real time. Always check the URL is agroyield.africa (or app.agroyield.africa) before entering a code.
• ❌ Doesn't protect against: someone with physical access to an unlocked phone that has your authenticator app open.

Use a strong, unique password alongside 2FA, and lock your phone with a passcode or biometrics.

Common questions

Do I need to re-enter the code every single time? Yes, on every fresh sign-in. Once you're signed in, you stay signed in for the normal session length — 2FA only fires at the login step, not on every page.

What if my authenticator app is on a phone with no internet? That's fine — TOTP codes are generated offline. The code is computed from a shared secret + the current time, both of which your phone has even without a network.

Can I use a hardware key (YubiKey, etc.) instead? Not yet. 2FA in AgroYield Network is currently TOTP-only. Hardware-key support is on our roadmap.

I have AgroYield open on multiple devices — will 2FA kick in for each? Yes, each fresh sign-in on each device asks for a code. Once signed in, that device stays signed in.

For admin accounts: the operator PIN

If you have admin access to AgroYield Network (membership in any admin role — moderator, finance, verifier, admin, super_admin), you'll see a second section on the same /account/security page titled Operator PIN. This is a different factor from 2FA — they protect different things:

• 2FA (TOTP) gates sign-in. You enter the code once per fresh login, then your session lasts as long as a normal session does.
• Operator PIN gates in-session high-risk actions (Monnify disbursements, settings changes, role grants, legal-agreement publishes). You enter your 6-digit PIN at the moment you fire one of these actions, and that PIN session lasts 15 minutes — long enough to run a sequence of related ops, short enough that walking away from your laptop doesn't leave the platform's float open.

Both are recommended for admin accounts. Setting up the PIN takes 30 seconds: scroll to the Operator PIN section on /account/security, click Set a 6-digit PIN, type a memorable but non-obvious number, confirm. The page also shows you which permission keys you currently hold that are PIN-gated. Five wrong attempts in a row locks the PIN for 15 minutes and pings the security team.

If you run into trouble enrolling or signing in with 2FA, email support@agroyield.africa and we'll help you within one business day.