All posts
Security 19 February 2026 · 8 min read

Why We Made 2FA Mandatory (And Why You Should Use Aegis)

As of today, every FaceVault developer account requires two-factor authentication. No skip button. No "remind me later." You set up TOTP before you see the dashboard. Here's the story of why, how to protect your authenticator itself, and the app that made me stop worrying about it.

The Problem With "Optional"

I've been building web apps for years, and there's a pattern I've seen at every company, every project, every team: you ship 2FA as opt-in, you announce it in the changelog, and then you check the adoption numbers a month later. They're always bad. Single digits. Maybe 15% if you're lucky and your users are developers.

The security-conscious people enable it on day one. The people who need it most — the ones reusing passwords, the ones who've never heard of credential stuffing — they never touch it. "Optional 2FA" is security theatre for the people who were already secure.

I know the counterarguments. "You'll lose signups." "It adds friction." "Let users make their own choices." And I understand them. For a social media app, for a todo list, for a cooking blog — maybe. But FaceVault isn't any of those things.

FaceVault is a platform where developer accounts have access to face embeddings, identity documents, and biometric verification data. A compromised developer account doesn't just leak an email address. It leaks faces. That's a different conversation entirely.

When Your Data Is Someone's Face

Here's the thing about biometric data that makes it fundamentally different from any other kind of data: you can't rotate it.

If your password leaks, you change it. If your API key leaks, you revoke it and issue a new one. If your credit card gets skimmed, the bank sends you a new number. These are all recoverable incidents.

If someone's face embedding leaks? That person's face is compromised forever. They can't get a new face. They can't rotate their biometrics. The damage is permanent and irreversible.

This is the core argument. The data behind a FaceVault developer account is categorically different from the data behind a typical SaaS account. A breached developer credential doesn't just cause inconvenience — it causes irreversible harm to third parties who trusted that developer with their biometrics. The access control has to match the stakes.

FaceVault developer accounts can access:

PII

Session photos and identity documents

The actual ID photo, selfie, and liveness frame from each verification session.

BIO

Face embeddings

128-dimensional ArcFace vectors that can identify a person across sessions. The fingerprint search endpoint runs cosine similarity against every stored embedding.

DOC

Extracted document data

Full names, dates of birth, nationalities, document numbers — everything the OCR and MRZ pipeline pulls from the ID.

A password alone guarding all of that? That's not a security posture. That's a liability.

How It Works

The implementation is deliberately simple. When you log in to the FaceVault dashboard and haven't set up 2FA, you see a full-screen setup gate. No sidebar. No navigation. No "skip for now." Just a QR code, a six-digit input, and a clear message: this is required.

The mandatory 2FA flow

2FA gate Scan QR Confirm code Save backups Dashboard

On the backend, every sensitive endpoint — API keys, usage data, sessions, photos, billing, verification links — is gated behind a require_developer_2fa dependency. If your account doesn't have TOTP enabled, those endpoints return HTTP 403. Not 401 (that's for missing auth). 403: you're authenticated, but you haven't met the security requirement.

The only endpoints exempt from 2FA are the ones you need to set up 2FA: your profile (so the dashboard can detect your TOTP status), the TOTP setup endpoint (to generate the secret), and the TOTP confirm endpoint (to enable it). Everything else is locked.

And disabling 2FA? You can't. Once it's on, it stays on. If you lose your authenticator and your backup codes, contact support. We'll verify your identity and help you re-enrol. But we will never give you a button that silently removes the only thing standing between your password and someone's biometric data.

Your Backup Codes Are Not Optional Either

Let me tell you what happens in practice. You enable 2FA. The service shows you 10 backup codes. You think "I'll save those later" and click past them. Six months later your phone dies in a puddle. Now your backup codes are gone and your TOTP secret is gone and your account is locked and you're emailing support at 11pm on a Sunday.

I've been that person. More than once. And every time, the same thought: "I should have taken the backup codes seriously."

FaceVault generates 10 one-time backup codes when you confirm your TOTP setup. Each code is 8 characters, each code works exactly once, and they're the only recovery path if you lose your authenticator. We hash them immediately. We never store them in plaintext. After you dismiss that screen, we can't show them to you again.

Treat them like a passphrase. Write them down on paper and put them in a drawer. Save them in a password manager. Print them and put them with your passport. Whatever works for you — just don't leave them on the screen you're about to close.

Here's a system that works: when the backup codes screen appears, hit "Copy all." Open your password manager. Save them as a note attached to your FaceVault login entry. Close the screen. Done. Thirty seconds, and your future self will thank you.

If all 10 codes are used up and you still have your authenticator, that's fine — TOTP keeps working. But if you've used a few and are worried about running low, contact support and we'll walk you through regenerating a fresh set.

Use Aegis. Seriously.

I need to talk about authenticator apps for a minute, because the one you choose matters more than you think.

Google Authenticator used to be the default recommendation. It's fine. It works. But for years it stored your TOTP secrets only on-device with no export, no backup, no transfer mechanism. Drop your phone, lose everything. They eventually added cloud sync, but that means your TOTP secrets now live on Google's servers tied to your Google account. If you're the kind of person who uses 2FA because you care about security, sending all your secrets to a cloud provider kind of defeats the purpose.

Microsoft Authenticator? Same story, different cloud.

Aegis Authenticator is different. It's free, open-source (GPL-3.0), Android-only, and stores everything locally in an encrypted vault on your device. No cloud. No account. No telemetry. Your TOTP secrets never leave your phone unless you explicitly export them.

Encrypted local vault — AES-256-GCM. Password or biometric unlock. Your secrets are encrypted at rest, not just sitting in a SQLite database.

Encrypted backups — export your entire vault to a single encrypted file. Store it on a USB drive, in a password manager, wherever you want. You control the backup, not a cloud provider.

QR code transfer — moving to a new phone? Aegis can export your vault as a QR code that the new device scans directly. No cloud middleman. No account migration.

Open source — the code is on GitHub. You can audit it. The build is reproducible. No trust required.

No network permissions — Aegis doesn't access the internet. At all. It has no ability to phone home even if it wanted to. Check the manifest yourself.

I've been using Aegis for every TOTP account I have — personal, work, infrastructure, everything. It's the kind of software that makes you wonder why you ever used anything else. Clean UI, instant unlock with fingerprint, and the peace of mind that my secrets are encrypted on my device and nowhere else.

New Phone? One QR Code.

This is the feature that sold me. The part that made me think "okay, these developers actually understand the problem."

If you've ever migrated between phones with Google Authenticator (before cloud sync), you know the drill: go to every single service, disable 2FA, re-enable it on the new phone, one by one. If you have 30 accounts, that's 30 services. Some of them require password re-entry. Some require support tickets. Some of them you've forgotten the password to, and now you're in a recursive recovery loop. It's miserable.

Aegis solves this completely. When you get a new phone:

1

Install Aegis on the new phone

2

On the old phone, open Aegis → Settings → Export → show as QR code

3

Scan the QR with the new phone's Aegis

4

Done. Every account, every secret, transferred in seconds

No cloud. No account. No server. Just two phones, a QR code, and five seconds of patience. The entire vault transfers locally, encrypted in transit between the screens.

You can also export as an encrypted file and transfer it via USB, AirDrop equivalent, whatever — but the QR code method is elegant in its simplicity. Old phone shows QR. New phone scans it. Migration complete.

Protect the Protector

Here's the irony of 2FA: you add a second factor to protect your accounts, and then that second factor itself becomes a single point of failure. If someone gets your unlocked phone, they have your authenticator. If your phone gets stolen, they might have your authenticator. If your phone brick dies and you have no backup, you don't have your authenticator.

Aegis addresses this with three layers:

Vault password

Aegis encrypts its database with a password you set on first launch. Even if someone copies the app data off your phone, they can't read the secrets without the vault password. This is not your phone's lock screen PIN — it's a separate password, specific to Aegis, that encrypts the actual TOTP secrets at rest.

Biometric unlock

You can enable fingerprint or face unlock for convenience, while the vault password remains the master key. Fast access in daily use, strong protection if the device is compromised. The biometric is a convenience layer over the encrypted vault — it doesn't replace the encryption.

Encrypted backups

Export the vault as an encrypted .json file. Store it on a USB drive in a drawer. Upload it to your password manager's secure notes. Email it to yourself (it's encrypted, the contents are meaningless without the vault password). The point is: your backup exists somewhere that isn't your phone, and it's useless to anyone who doesn't have your vault password.

My personal setup: Aegis on my phone with fingerprint unlock. Encrypted vault backup saved as an attachment in my Bitwarden vault. Physical printout of my FaceVault backup codes in my document safe. Three layers. If any one of them fails, the other two still work.

The golden rule. Your TOTP secrets should exist in at least two places, and at least one of those places should not be your phone. That's it. That's the whole strategy. Everything else is implementation detail.

The Line We Drew

Making 2FA mandatory is a product decision that costs you signups. I know that. Some developers will hit the setup screen and think "I just want to test the API" and bounce. And that's okay. Because the developers who stay are the ones who understand that security isn't a feature you toggle on when you feel like it — it's a baseline.

The people who use FaceVault are trusting us with their users' faces. Their identity documents. Their biometric data. The absolute minimum we can do is make sure the developer holding the keys has more than a password standing between the world and that data.

Set up your authenticator. Save your backup codes. Use Aegis. And build things worth protecting.

Go to Dashboard Get Aegis Authenticator

References & Further Reading

Aegis Authenticator — free, open-source TOTP app for Android

Aegis on GitHub — source code, GPL-3.0 license

RFC 6238: TOTP Algorithm — the standard behind time-based one-time passwords

Building Privacy-First KYC: Why We Delete Your Face — our data retention and security philosophy

Deepfake Defense: An IDS/IPS for Identity Verification — the anti-spoofing pipeline that mandatory 2FA protects