Two-factor authentication
ItemTrack supports TOTP-based two-factor authentication. When enabled, signing in requires both your password AND a 6-digit code from an authenticator app on your phone.
Why turn it on
If your account contains things you'd care to lose — insurance documentation, photos of valuables, serial numbers, purchase prices — 2FA is the single best protection against an attacker who got your password from another breach.
It's not bulletproof. Phishing can still trick you into entering both. But the bar is much higher than password-only.
Compatible apps
Any TOTP-compliant app works. Some good ones:
- 1Password / Bitwarden — password manager + authenticator combined. Most convenient if you already use one.
- Authy — cloud-backed authenticator, multi-device support.
- Google Authenticator — basic, gets the job done.
- Microsoft Authenticator — also basic, but auto-recovers via Microsoft account.
- Yubico Authenticator with a YubiKey — for hardware-backed 2FA.
The TOTP standard (RFC 6238) is what makes them all interchangeable.
Setup
- Go to your profile page.
- Find Two-factor authentication section. Click Enable.
- We show a QR Label. Open your authenticator app, scan it. The app starts generating 6-digit codes.
- Type the current 6-digit code from the app into the verify box. Hit Confirm.
- We then show you 10 one-time recovery codes. Save them somewhere outside the app — a password manager, paper, anywhere except inside ItemTrack itself. See Recovery codes.
Once 2FA is on, every sign-in asks for the code after your password.
Disabling 2FA
Go to your profile page → Two-factor authentication → Disable. We ask for your current password to confirm. Once disabled, recovery codes are also wiped (they're useless without 2FA enabled).
If you can't sign in to disable, see Account recovery.
Multi-device
You can scan the same QR Label from multiple authenticator apps if you want a backup device. Both will generate the same 6-digit code (they're computed from the same secret + current time).
If you ever lose all your authenticator devices, your recovery codes are the only way back in.
Time skew
TOTP codes are valid for 30 seconds. If your phone's clock is wildly off (more than ~90 seconds), the codes won't match. Make sure your authenticator app's time is in sync with the network — most apps handle this automatically.
Phishing protection
A phishing site that looks like ItemTrack can ask for your password AND your TOTP code. Since the TOTP is a 6-digit code that expires in 30 seconds, the phisher needs to use it immediately to log in to the real ItemTrack. This is fast for an automated tool but slows them down compared to password-only.
Better: use a password manager that auto-fills only on the real store.sampletrack.one URL. The password manager won't auto-fill on a phishing site, which is your warning sign.
What if I lose my phone
See Account recovery.