How do I enable two-factor authentication (2FA)?
Profile → Security → Enable 2FA. Use an authenticator app (Aegis, Google Authenticator, 1Password) — never SMS.
Why 2FA matters
Without 2FA, any attacker who learns your password can drain your account. With TOTP-based 2FA, they also need your phone or authenticator app — a much higher bar.
We strongly recommend enabling 2FA before you make your first deposit. We award +100 XP when you enable it as a security incentive.
Setup (60 seconds)
- Profile → Security → Enable 2FA
- Install an authenticator app on your phone if you don't have one (recommended apps below)
- Scan the QR code displayed on screen — your app adds Cinoslots to its list
- Enter the 6-digit code your app shows
- Save the backup codes somewhere offline (paper, password manager) — see backup codes
- Done. Future logins prompt for the 6-digit code after your password.
Recommended authenticator apps
| App | Platform | Why | |-----|----------|-----| | Aegis | Android | Open-source, encrypted backups, no cloud requirement | | Raivo | iOS | Open-source, iCloud sync optional | | 1Password / Bitwarden | Both | Integrated into your password manager (best UX) | | Google Authenticator | Both | Most familiar; supports Drive backup | | Authy | Both | Cloud sync; less private than alternatives |
Why NOT SMS 2FA
We deliberately don't offer SMS 2FA. SMS is vulnerable to:
- SIM-swap attacks — attacker convinces your carrier to port your number
- SS7 protocol attacks — interception at the carrier level
- Stalkerware — apps reading your SMS
TOTP apps are immune to all three. The Cinoslots-recommended path is TOTP only.
What if I lose my phone?
Use one of your backup codes to log in. Each is single-use; we generate 8 fresh codes when you enable 2FA. Save them somewhere offline. See backup codes.
If you lost both phone AND backup codes, you can recover via manual support — see account locked.
Disabling 2FA
You can disable it from Profile → Security → Disable 2FA (requires current 2FA code). Disabling triggers a 48-hour withdrawal cool-off as an anti-takeover measure.
Hardware key support
We support WebAuthn / FIDO2 hardware keys (YubiKey, Solokey, Trezor, Ledger). Add one under Profile → Security → Add hardware key. We recommend hardware keys as a replacement for, not addition to, TOTP for highest security.
お役に立ちましたか?
550人の読者の99%が役に立ったと評価しました。
さらにサポートが必要ですか?
24/7 チームが 1 分以内に返信します。
関連記事
What are 2FA backup codes and how do I use them?
8 single-use codes printed when you enable 2FA. Save them offline — they're your fallback if you lose your phone.
How do I see and revoke active sessions?
Profile → Security → Active sessions shows every device logged in. Sign out anything you don't recognize, then change your password.
How do I change my password?
Settings → Security → Change password. Old password + new (12+ chars, must reach Strong) + 2FA code if enabled.