Two-factor authentication (2FA)

Two-factor authentication (2FA) means a second check after your password (or your Sign in with Google / Microsoft style link). A stranger who only knows the password or intercepts a mail link still cannot finish signing in as you without the second factor, which is usually a one-time code on your phone or a hardware key.

We strongly recommend 2FA for the owner and anyone who can access billing or change team membership.

Turn on 2FA (typical flow)

Sign in to Expanse Panel.
Open your profile or Account / Security (wording in the app may differ slightly over time).
Find Two-factor or Authenticator and follow the Enable path.
Scan the QR code with a supported authenticator app (common options include Google Authenticator, 1Password, Aegis, and similar).
Enter the test code the panel shows to confirm the setup.
Save your backup codes if the app offers any—store them offline (paper, safe), not in the same file as your password on the same computer.

The exact order of pages can change, but the idea is always: pair a device → prove it works → lock in.

Losing a phone or a key

Use backup codes first if the sign-in page asks for them.
If you have no backup and no device, the account may need a support-assisted recovery. That will take time and proof that you are the real user—this delay protects against attackers who pretend to be you. Open Support and contact and be patient.

2FA and your team

2FA is on your user, not on “the team.” Each member should enable it on their own login.
If an owner has no 2FA, the team is at higher takeover risk. Promote 2FA from day one, not as a “later if we are bored” item.

Things that are not 2FA

Typing a static “secret word” in a chat with support. That is not a second factor; use real 2FA in the app.
Email alone as “proof” in some banks is weaker than a time-based code. Prefer an authenticator or key for the Expanse panel if available.

Good security habits
Inviting members so you do not share one password across people