Help & guidesAccount security › Trusted devices (Remember device with 2FA)

Trusted devices (Remember device with 2FA)

3 min read · Account security

If you have two-factor authentication (2FA) enabled and want to skip the six-digit code when signing in from a regular computer or phone, tick "Remember this device". For 30 days we will not ask you for the one-time code (TOTP) again.

Account settings - e-mail, password, 2FA and trusted devices
Account section: this is where you manage 2FA and trusted devices.

How it works

  1. On the first successful 2FA sign-in on the device, tick "Remember this device".
  2. We store a random security token (256 bits) in the browser. On the server we keep only its hash (SHA-256), so the token cannot be guessed or derived - an attacker cannot forge a valid cookie.
  3. On your next sign-in in the same browser we find this cookie and skip the 2FA step.
  4. After 30 days the cookie expires and you will have to enter the one-time code again.

Managing trusted devices

In Settings, in the Account -> Trusted devices section, you see a list of:

  • The device name derived from the browser (for example "Chrome on Windows 11").
  • The IP address and country of the last sign-in.
  • The date it was added and last used.
  • A Remove button - immediately revokes trust, and the next sign-in from this device will require the 2FA code again.

When to remove a device

  • You signed in on someone else's or a public computer (cafe, library).
  • You lost or sold a laptop or phone.
  • You see a device in the list that you do not recognize (unfamiliar IP address, unknown country).

Security safeguards

  • Random server-side token: only a random 256-bit token goes to the browser, the server stores only its SHA-256 hash and compares it - an attacker cannot forge a valid cookie.
  • JavaScript has no access to the cookie: protection against a malicious script on the page stealing it.
  • Encrypted connection only: the cookie is sent exclusively over HTTPS.
  • Bound to the account: a cookie from account A will not work on account B.
  • Automatic expiry: after 30 days 2FA is required again.
  • On a password change (via "Forgot password" or a manual change) all trusted devices are removed automatically. Even if an attacker had your old cookie, it will no longer skip 2FA.
Was this guide helpful?