The marketplace has launched TOTP-based two-factor authentication for all user accounts, filling a security gap that the community had identified as a priority improvement in feedback forums throughout 2025. The feature adds a second verification step to the login process that significantly reduces the risk of account takeover even if credentials are compromised.
Two-factor authentication using Time-based One-Time Passwords (TOTP) requires both the correct password and a 6-digit code generated by an authenticator application after entering credentials. The code changes every 30 seconds and is derived from a shared secret established during 2FA setup. Without the authenticator app or recovery codes, the code cannot be generated.
For privacy-conscious users, the platform's 2FA implementation uses offline-compatible TOTP rather than SMS-based verification. SMS-based 2FA is problematic for anonymous users because it requires a phone number. The TOTP implementation works with any standard authenticator application, including Aegis Authenticator for Android (recommended for its encrypted backup support and open-source code).
Setup generates a set of recovery codes that should be stored securely offline. The platform explicitly does not store backup copies of 2FA secrets. Vendors are strongly encouraged to enable 2FA, and it is mandatory immediately for accounts with marketplace moderator or staff access. For comprehensive account security guidance, see our OPSEC guide.