Two-Factor & Security

Available via: Dashboard only

Inflow uses TOTP (Time-based One-Time Password) for two-factor authentication, compatible with apps like Google Authenticator, 1Password, Authy, and similar.

When TOTP Is Required

Step-up means Inflow trusts your session for browsing the dashboard, but asks for a brand-new TOTP code right before sensitive operations. The accepted age of a step-up code is 1 minute — a stolen session cookie is therefore not enough to move funds, the attacker also needs your authenticator device at the moment of the action.

Currently, rotating API keys and changing the Payout Policy do not trigger step-up TOTP — the regular login session is sufficient. Treat your dashboard session and your password as security-critical for these two actions.

Setting Up TOTP

1. Go to Settings → Security.
2. Click Enable Two-Factor Authentication.
3. Scan the QR code with your authenticator app, or copy the secret manually.
4. Enter the 6-digit code shown by your app to verify.
5. Save your recovery codes somewhere safe — they are the only way to regain access if you lose your authenticator device.

Recovery Codes

When you enable TOTP, Inflow generates 8 single-use recovery codes. Each one can be used once instead of a 6-digit TOTP code, in case you lose access to your authenticator app.

• Generate a new set if you suspect they have leaked or after using one — used codes are permanently invalidated.
• Store them outside your password manager if possible (e.g. printed and locked away).

Best Practices

• Enable TOTP for every member with Admin or Owner role.
• Pair Owner accounts with hardware-backed authenticator apps.
• Rotate API keys after revoking a member's access. See API Keys.
• Combine with a strict Payout Policy so even compromised credentials cannot move large amounts alone.