Two-Factor Authentication

1What is 2FA

Definition

Two-Factor Authentication (2FA / Two-Factor Authentication) — this additional level protection account, which requires two method confirmation identity:

1. that-the, that you you know: password
2. that-the, that you have: phone or authenticator

How it works

when login in account:

1. Enter email and password (how usually)
2. System requests second factor
3. Enter 6--digit code from app or SMS
4. only after that receive access

Why you need 2FA

Protection from:

• Hacking password: brute-force, phishing, leaks bases data
• Interception of sessions: stolen cookies
• Unauthorized access: if who-the found out password
• Losses money: if seller account is hacked

Statistics:

• 99.9% of attacks are blocked with active 2FA
• Accounts without 2FA are hacked 100+ times more often
• In 2024 78% successful hackingin — accounts without 2FA

2Methods 2FA

Available methods

Methods comparison

Authenticator (recommended):

• Maximum security
• works offline
• Free
• codes change every 30 seconds
• Requires installation app

SMS:

• Simplicity use
• No additional apps
• Vulnerable to SIM-swap attacks
• Does not work without a signal
• May incur charges (roaming)

Backup codes:

• always work
• Not depend from devices
• Oneone-time (10 codes)
• May be lost
• only for recovery

3setting 2FA in app

Step 1: Set up the app-authenticator

Best app:

• Google Authenticator
  • iOS: App Store
  • Android: Google Play
  • Free and simple
• Microsoft Authenticator
  • iOS & Android
  • Cloud backup
  • Additional features
• Authy
  • iOS, Android, Desktop
  • Multi-device
  • Cloud synchronization
• 1Passwords are case-sensitiveds are case-sensitived
  • if already uses a password manager
  • Paid subscription
  • all in one location

Step 2: Enable 2FA on shookout.com

1. Log into your account on shookout.com
2. Go to Settings → Security
3. Find section "Two-Factor Authentication"
4. Click "Enable 2FA"
5. Select "Authenticator app"
6. Enter current password to confirm

Step 3: Scan QR-code

1. On screen will appear QR-code
2. Open app-authenticator on your phone
3. Click "+" or "Add account"
4. Select "Scan QR code"
5. Point the camera at the QR code
6. Account "shookout.com" will appear in the app

if not can scan:

• Click "Enter code manually" below the QR code
• Copy the secret key (for example: JBSWY3DPEHPK3PXP)
• In the app, select "Enter key manually"
• Paste key
• Name account: shookout.com
• Type: By time

Step 4: Enter verification code

1. In the authenticator app, find shookout.com
2. You will see 6--digit code (for example: 123 456)
3. code updates every 30 seconds
4. Enter this code on site shookout.com
5. Click "Confirm"

Step 5: Save backup codes in multiple secure locationsackup codes

1. after successful settings will appear list from 10 codes
2. each code — one-time, 8 characters
3. Example: A5F3-9K2L
4. Click "Download codes" (a .txt file will be saved)
5. Or copy and save in a secure location:
   • Manager passwords (1Passwords are case-sensitiveds are case-sensitived, Bitwarden)
   • Encrypted note
   • Print and store in a safe

Step 6: Done!

Now when each login system will be proh code from the authenticator app.

4setting 2FA in SMS

When use SMS

• No smartphone to install the app on
• how reserve method alongside the authenticator
• Temporary solution

setting SMS 2FA

1. Settings → Security → 2FA
2. Click "Enable 2FA"
3. Select "SMS"
4. Enter number phone in international format:
   • +7 (Russia): +79001234567
   • +380 (Ukraine): +380501234567
   • +1 (USA): +15551234567
5. Click "Send code"
6. Your phone will receive an SMS with a 6-digit code
7. Enter code on the site
8. Click "Confirm"
9. Save backup codes in multiple secure locationsackup codes

Restrictions SMS

• Delay: SMS can go in 1-5 minutes
• Roaming: can not work for abroad
• SIM-swap: vulnerable to SIM swap attacks
• Cost: some carriers charge a fee

5Using 2FA on login

Standard login

1. Go to on shookout.com
2. Click "Log in"
3. Enter email and password
4. Click "Continue"
5. Will open page input 2FA code
6. Open app-authenticator
7. Find shookout.com and look at code
8. Enter 6--digit code on site
9. Click "Confirm"
10. you logged in!

Trusted device

To not enter code each times:

• when login check the checkbox "Remember this device on 30 days"
• 2FA will not be requested on this device for 30 days
• On new devices a code will always be required

Management trusted devices:

• Settings → Security → Devices
• You will see list all trusted devices
• You can delete any device
• when next login with it will be required code

Login with backup code

if no access to the authenticator:

1. On the page input 2FA code click "Use backup code"
2. Enter one of the saved codes
3. Click "Confirm"
4. Code will be used (no longer valid)
5. You remaining 9 codes

6Backup codes

that this

Backup codes are one-time login codes for when:

• You lost your phone with the authenticator
• SMS not working (no signal, abroad)
• Phone ran out of battery
• Phone was reset to factory settings

how get backup codes

when first setting 2FA:

• codes generated automatically
• Shown only once
• Mandatory save!

after settings:

1. Settings → Security → 2FA
2. Find "Backup codes"
3. Click "Show codes"
4. Enter password
5. You will see a list of codes

Format codes

• 10 codes included
• Format: XXXX-XXXX
• Letters and digits
• Case is not important

how store backup codes

Correctly:

• Passwords are case-sensitiveds are case-sensitived manager (1Passwords are case-sensitiveds are case-sensitived, Bitwarden, LastPass)
• Encrypted file in cloud (Cryptomator + Dropbox)
• Print and store in a safe at home
• Write in a notebook in a secure location

Incorrectly:

• In an unprotected note on your phone
• In a plain text file on your computer
• In an email to yourself
• In cloud without encryption
• On screenshot in gallery

Usage backup code

1. when login on page 2FA click "Use backup code"
2. Enter code (with hyphen or without — not important)
3. code will work only once
4. after use code becomes invalid

Generate new codes

if used all codes or want update:

1. Settings → Security → 2FA
2. Click "Generate new backup codes"
3. Confirm action
4. old codes will become invalid
5. Get 10 new codes
6. Save their

72FA management

Adding second method

for added reliability you can enable two method simultaneously:

1. Settings → Security → 2FA
2. if already configured authenticator, click "Add method"
3. Select "SMS"
4. Configure SMS
5. Now can select method when login

Changing the primary method

1. Settings → Security → 2FA
2. You will see list active methods
3. Next to the method is a button "Set as primary"
4. Click on the desired method
5. it will become method by default when login

Deletion method

If you want to remove one of the methods:

1. Settings → Security → 2FA
2. Next to the method is a button "Delete autofill"
3. Confirm deletion
4. Method will be disabled

Complete disabling 2FA

if want disable two-factor authentication fully:

1. Settings → Security → 2FA
2. Click "Disable 2FA"
3. Enter password
4. Enter code 2FA (last times)
5. Confirm disabling
6. 2FA disabled

8Access recovery

if lost phone

Option 1: Use backup code

1. On the page login select "Use backup code"
2. Enter one of the saved codes
3. Log into your account
4. Immediately configure 2FA on the new device
5. Generate new backup codes

Option 2: SMS (if configured)

1. when login select "Receive code by SMS"
2. code will come on linked number
3. Enter code
4. Log into your account

Option 3: Contact with support

1. if no neither backup codes nor access to SMS
2. On the page login click "Can't log in"
3. Select "Issue with 2FA"
4. Fill in form:
   • Email account
   • Last login date
   • Recent purchases (if were)
   • Photo document for verification identity
5. Send request
6. Support will respond within 24-48 hours
7. after verification 2FA will be temporarily disabled

if changeor number phone

If SMS is linked to an old number:

1. Log into your account (use authenticator or backup code)
2. Settings → Security → 2FA
3. Find method "SMS"
4. Click "Change number"
5. Enter new number
6. Confirm in code on new number

If you reset your phone

after reset phone authenticator will is deleted:

1. Log into your account using backup code
2. Settings → Security → 2FA
3. Delete autofill the old authenticator method
4. Reconfigure (new QR code)
5. Generate new backup codes

9Best practices

Security 2FA

• Use app for up to SMS
• Save backup codes in multiple secure locationsackup codes in several locations
• Enable cloud backup in the authenticator (Authy, MS Authenticator)
• Regularly check trusted devices
• Update backup codes times in 6-12 months
• Don't share codes with no one, not even support
• Not store codes in plain text
• Not do screenshots QR-codes

Backup

Configure multiple methods:

• main: app-authenticator
• Backup: SMS on other number
• Emergency: backup codes in a safe

Where store backup codes:

1. Main copy: manager passwords (1Passwords are case-sensitiveds are case-sensitived, Bitwarden)
2. Backup copy: print and in safe/reliable to
3. Emergency copy: with a trusted person (member family)

What to do BEFORE resetting your phone

1. Log into all accounts with 2FA
2. Temporarily disable 2FA or use authenticator with cloud backup
3. Make sure, that backup codes saved
4. after reset configure 2FA again

Regular verification

Once in 3 month:

• Check trusted devices list
• Delete old/unused
• Make sure, that backup codes available
• Test login with backup code
• Update codes if remaining <3

10Frequently asked questions

Is it required 2FA on shookout.com?

For regular users — no. For sellers — really recommended for protection income.

Can I use one authenticator for several accounts?

Yes! In one app you can add unlimitedpermanent number accounts. each will be a separate entry.

that do if code not perceived?

Check time on phone — automatic sync must be enabled. Incorrect time = wrong codesodes.

How many backup codes you can use?

All 10 codes, each one-time. When they run out — generate new.

Can I use 2FA on several devices?

Yes! Scan one QR-code on several devices. Or use Authy with synchronization.

that if lost backup codes?

if is access to account — go to and generate new. if no access — only in support.

Is cloud backup in the authenticator safe?

Yes, if you use a reliable password and enabled 2FA for the authenticator itself (Authy, MS Authenticator).

Is it necessary to enter code on each login?

No, if you check "Remember device" — code not will be required 30 days on this device.

Can I disable 2FA if forgot password?

No. First restore your password, then you can manage 2FA.

Support asked for a 2FA code — this normal?

no! Those are scammers. Real support NEVER asks for codes 2FA or passwords.