# Data protection

2FAuth provides several security mechanisms to protect your sensitive 2FA data, at administrator or user level.

# For administrators

# DB encryption

Sensitive data stored in the database (2FA secret & otpauth URI) can be encrypted to protect them against a database compromise.

Check the Protect sensitive data option in the 2FAuth's Admin > App setup section to enable encryption.

Encryption applies to all users data

Warning

It is strongly recommended to backup the APP_KEY value defined in your .env file (or the whole file) when encryption is enabled.

There is no way to generate One-Time Password if you lose this key.
There is no workaround in case of key loss.

# For users

# Auto lock

2FAuth can automatically log you out to keep your data always protected. The goal is to avoid a long life session that someone could reuse, for example from a public computer you forgot to clean or from your own stolen smartphone.

Supported trigger	Behavior
On security code copy	You will be logged out immediately after you click/tap on a One-Time Password to copy it
a time lapse	You will be logged out after a certain amount of time
Never	Disable the Auto lock

Use the Auto lock combobox in the 2FAuth's Settings > Options section to select a trigger or to disable the feature.

# Sensitive data hiding

You can configure 2FAuth to display obfuscated One-Time Password rather than human readable password.

Without obfuscation	With obfuscation
377 609	●●● ●●●

This protects against attacks like a shoulder-surfing attack, where a third party intercepts your password by watching over your shoulder as you generate a fresh password.

Of course, this is only suitable if you are able to use the copy/paste feature to provide the password to the destination service.

Simply click/tap the (obfuscated) password in 2FAuth to copy it!

Check the Show generated one-time passwords as dot option in the 2FAuth's Settings > Options section to enable obfuscation.