Help & guides ›
Account security
› Trusted devices (Remember device with 2FA)
Trusted devices (Remember device with 2FA)
3 min read · Account security
If you have two-factor authentication (2FA) enabled and want to skip the six-digit code when signing in from a regular computer or phone, tick "Remember this device". For 30 days we will not ask you for the one-time code (TOTP) again.
How it works
- On the first successful 2FA sign-in on the device, tick "Remember this device".
- We store a random security token (256 bits) in the browser. On the server we keep only its hash (SHA-256), so the token cannot be guessed or derived - an attacker cannot forge a valid cookie.
- On your next sign-in in the same browser we find this cookie and skip the 2FA step.
- After 30 days the cookie expires and you will have to enter the one-time code again.
Managing trusted devices
In Settings, in the Account -> Trusted devices section, you see a list of:
- The device name derived from the browser (for example "Chrome on Windows 11").
- The IP address and country of the last sign-in.
- The date it was added and last used.
- A Remove button - immediately revokes trust, and the next sign-in from this device will require the 2FA code again.
When to remove a device
- You signed in on someone else's or a public computer (cafe, library).
- You lost or sold a laptop or phone.
- You see a device in the list that you do not recognize (unfamiliar IP address, unknown country).
Security safeguards
- Random server-side token: only a random 256-bit token goes to the browser, the server stores only its SHA-256 hash and compares it - an attacker cannot forge a valid cookie.
- JavaScript has no access to the cookie: protection against a malicious script on the page stealing it.
- Encrypted connection only: the cookie is sent exclusively over HTTPS.
- Bound to the account: a cookie from account A will not work on account B.
- Automatic expiry: after 30 days 2FA is required again.
- On a password change (via "Forgot password" or a manual change) all trusted devices are removed automatically. Even if an attacker had your old cookie, it will no longer skip 2FA.
Was this guide helpful?