# Two Factor Authentication
## What is Two-Factor Authentication, and why should I use it?
Two-Factor Authentication (also called "2FA") adds another layer of security to your account, making it nearly impossible for the account to be compromised. This protects your account and all that's on it - your characters, your items and your gold.
If someone were to figure out your accountname and password (which should always be something strong and unique), they cannot login to your account unless they have the PIN from your authenticator. This PIN is generated by an app on your phone or device and is refreshed every 30 seconds.
We have two alternatives for our Two-Factor Authentication
- IP-lock - only require the PIN when logging in from a new IP-address
- Always - require the PIN for each login
Note that the website will always require you to enter the PIN-code generated by your app, regardless if you have IP-lock enabled or not.
### Things to note before you enable Two-Factor Authentication
- Enabling GeoLock on your account will remove Two-Factor Authentication, and vice-versa. Only one of these may be active at any given moment
- __You must save your recovery keys__ - this will allow you to recover your account if you are no longer able to get your PIN from your device.
- The secret token, QR-code and recovery keys are unique to your account, and these keys will regenerate if you disable and re-enable Two-Factor Authentication! This means that you need to save your _new_ recovery keys and secret token if you for any reason disable and re-enable Two-Factor Authentication.
- The recovery-keys are usable ONE time each. These are used as a substitute for the PIN when logging into the website.
You can generate new recovery keys from the [Two-Factor Authentication settings page](https://lightshope.org/account/twofactor) in the account control panel
- You should save your secret token - this will allow to you add your authenticator again if you have a new device
- If you are playing on a public IP or through a VPN, its not recommended to use IP-lock, you should instead have it requested for each login
### How do I enable Two-Factor Authentication?
You can enable Two-Factor Authentication on the [account control panel](https://lightshope.org/account/twofactor). Your email will need to be verified before you can proceed to the control panel.
Once you're signed on to the control panel and your email is verified, head over to the [Two-Factor Authentication settings page](https://lightshope.org/account/twofactor). __Read the information carefully!__
Follow all the steps as shown on that page. Here's a brief step-by-step
- Download the authentication-app to your phone or device
- Open the app, scan the QR-code (or manually input the security token)
- Remember to save this security token somewhere safe!
- Select IP-lock or to always require authentication
- Save your recovery keys somewhere safe! This will allow you to regain access to your account if you lose your device
- Save the changes, enabling Two-Factor Authentication!
If you followed the steps in the control panel, your authenticator is now active! After you have completed this process, your will be prompted to input a PIN when you log into the game. Depending on what option you chose, this will either be when logging in from a new IP-address, or on every login.
### I'm having problems with my authenticator and cannot log in!
If you follow the procedure above, and take care of your recovery keys, you can take action on your account yourself without having to interact with members of our team - and recover your account within minutes!
#### I want to remove my authenticator
__If you have access to the account:__
Log on to the account control panel and navigate to the [Two-Factor Authentication page](https://lightshope.org/twofactor). You will be able to disable your authenticator there.
__If you do NOT have access to the account:__
- If you are unable to log in to the account due to an incorrect password, you will have to [reset the password](https://lightshope.org/reset) first.
- If the PIN is incorrect, attempt to synchronize the device (see below)
- Attempt to use one of your recovery codes
- If you do not have any recovery codes, or do not have the device that generates the PIN, you can request a manual removal (see below)
#### My device isn't giving me the correct pin
Ensure that your application and your device/phone are properly synced in time. If both your device and app are synced, you likely disabled and re-enabled the authenticator at some point. If that is the case, then you must use the newest recovery keys and newest security tokens. Should you not have these, and you have tried to sync your device, you must request a manual removal.
#### I have lost my device / I don't have the authenticator anymore!
If you have the secret token or the QR-code you enabled your authenticator with, you can use this to add the authenticator to your device again (or a new one) and get the PIN codes again. Depending on when the authenticatior was enabled, the QR-code may have been sent to you in an email. For some authenticatiors, this email was not sent, and requires you to have saved the QR-code, recovery keys or secret token.
Should you for some reason be unable to add your authenticatior to your device, and you enabled your authenticator after October 2017, then you can use any of the valid recovery keys to log in to the account control panel. These keys are only usable one time per key. The recovery key will substitute the PIN when logging into your account on the website (and not the game).
#### I enabled my authenticator a long time ago, on Elysium, and don't have the authenticator anymore!
_This section is only for authenticators that was enabled prior to October (not for any authenticator enabled under the Light's Hope domain):_ Your QR-code was sent to the email associated with your account if you enabled the authenticator on Elysium. You can scan this on your device and enable it again. We recommend that you disable this authenticator, and re-enable it under the Light's Hope domain. This ensures that the data is correct and will allow you to generate the recovery keys.
We are not able to resend your QR-code if you have deleted the mail.
#### There's an authenticator on my account, but I didn't add one...
It's possible you are seeing the GeoLock, and not the Two-Factor Authenticator. If the account is GeoLock-protected, you will be mailed the PIN required to the email associated with the account.
If you are certain the account has Two-Factor Authentication on it, and you didn't enable it yourself, it's possible your account was compromised, and that those that compromised the account added this authenticator on the account. Should this be the case, you will need to request a manual removal.
#### I've tried everything... I can't login!
We can manually remove your Two-Factor Authentication, but this is something we would rather avoid if we can. It would be better - __and faster__ - for you to try the suggestions above before filing a request for Two-Factor Authentication removal. Requesting Two-Factor Authentication removal is a process that will take time, and due to the nature of these requests we are not able to provide an estimated time of completion.
__Exhaust all other options before filing a manual removal request!__
As a last resort you may request a manual removal of your authenticator by clicking on the "I've lost my 2fa codes! Help" link when attempting to sign in to the website. Should the link say "_Resend GeoLock codes_" instead, then your account does not have Two-Factor Authentication enabled, and GeoLock is enabled instead.
__Please read the information there carefully before submitting your request__. Your post will only be visible to yourself and a few select senior members of staff. Once the request is filed, it may take some time before it is processed; we will get to them as quickly as we can, but Two-Factor Authentication Removal Requests have no estimated time of completion.