We take the security of your account and personal information seriously.itch.io supports two-factor authentication via TOTP (Time-based One-timePassword Algorithm), in addition to simple password authentication.

What is two-factor authentication?

The idea behind two-factor authentication is that, to increasesecurity, login should not only require something you know (like a password),but also something you have (like a token).

The objective is to prevent third parties from gaining unauthorizedaccess to your account. One possible implementation is to send an SMS toyour mobile whenever you try to log in, after you've typed your password.

This way, an attacker would not only have to know your password, but alsobe in possession of your mobile phone – or at least, find a way to receiveyour text messages.

While no system is perfectly secure, this is a step towards ensuringthat you and only you can access your account.

What is TOTP?

TOTP (Time-based One-Time Password algorithm) is astandard algorithmthat computes a one-time password from a shared key and the current time.

It is one of the less constraining and most robust forms of two-factor authentication,and is currently used bycompanies such as GitHub, Amazon, and Facebook.

How do I use TOTP?

Setting up TOTP is as easy as following the instructions in theSecurity tabof your user settings.

The first step involves scanning a QR code on your mobile via one of the supportedTOTP mobile applications. We recommend using:

• Google Authenticator on Android, iPhone & iPad

The QR code contains the shared secret, as well as helpful reminders suchas your account name, and the issuer (in this case, itch.io).

Once TOTP has been enabled, logging into your account will require youto enter a 6-digit code in addition to your password. The verificationcode is automatically generated by the mobile app you've installed, andchanges every 30 seconds.

My verification codes are getting refused. What’s happening?

Since verification codes are time-dependent, any offset between yourphone’s clock and the server time might result in a failed authentication.

In this case, we advise you to adjust your phone’s clock to the correcttime. Most mobile operating systems provide a network-based way to automaticallyadjust your phone to the right time.

What happens if I lose access to my phone?

When enabling two-factor authentication, a set of 8-digit recovery codesis generated. You should print them and keep them with you whenever youmight need to log in to the site.

These codes allow you to log in without using your mobile phone at all.It is imperative for you to keep them in a safe place to avoid being lockedout of your account.

Do you support SMS?

SMS two-factor authenticationhas been deprecated by NIST expertsand will not be added to itch.io. TOTP two-factor authentication is a betterguarantee and works even without mobile network coverage.