Security and two-factor authentication
Account Security: Two-Factor Authentication and Suspicious Connections
Introduction
Fotostudio now integrates several mechanisms to protect your account: two-factor authentication (MFA), unusual connection detection, connection history, and automatic session invalidation when you change your password.
Two-Factor Authentication (MFA)
What is it?
Two-factor authentication adds a second step to your login. After entering your password, you must enter a 6-digit code generated by an authentication app on your phone. Even if someone steals your password, they can't access your account without your phone.
Which app to use?
Fotostudio's MFA relies on the TOTP protocol (open standard RFC 6238), compatible with all authentication apps on the market:
- Google Authenticator (iOS / Android)
- Authy
- Microsoft Authenticator
- 1Password, Bitwarden, etc.
Enable MFA
- Go to My Account → Security → Two-Factor Authentication
- Install an authentication app on your phone
- Scan the displayed QR code with your app
- Enter the 6-digit code generated by the app to confirm
- Choose the verification frequency (see below)
- Save your recovery codes (critical step, see dedicated section)
Verification Frequency
When activating, you choose when the code is requested:
Option | Behavior |
|---|---|
At every login | The code is always requested, without exception |
When logging in from an unknown browser | The code is remembered for 90 days on this browser via a secure cookie. You'll be asked for it again if you change browser or device, clear your cookies, change your password, or log in from an unusual country |
Note: In "unknown browser" mode, if you always return on the same browser without clearing your cookies, the code won't be requested for 90 days. This is a deliberate comfort choice, similar to the behavior of major sites like Google.
Disable MFA
Go to My Account → Security → Two-Factor Authentication and click Disable. A confirmation is requested.
Recovery Codes
Why it's important
If you lose access to your phone (theft, damage, new app), recovery codes are the only way to log in. Without them, your account would be inaccessible.
How it works
- When activating MFA, 10 recovery codes are generated and displayed only once
- Each code is in the format
XXXX-XXXX-XXXX - A code is single-use: once used, it's permanently invalidated
- They're used instead of the TOTP code on the MFA login page
How to save them
- In your password manager (1Password, Bitwarden…)
- In an encrypted file
- Printed and kept in a safe place
Regenerate codes
If you're approaching 0 remaining codes, or if you think your codes have been compromised:
- Go to My Account → Security → Two-Factor Authentication
- Click Regenerate recovery codes
- Old codes are immediately invalidated
- Save the new codes
The number of remaining codes is displayed on the Security page. A warning automatically appears when there are 2 or fewer remaining.
Detection of Unusual Connections
Fotostudio automatically analyzes each connection and compares the country of the current IP address with that of the last known connection.
What happens with a suspicious connection?
Automatic alert email - you receive an email indicating:
- The detected country
- The IP address
- The date and time of the connection
- A direct link to change your password
- A link to activate MFA if not already done
If you have MFA enabled - even if your browser was marked "trusted", the TOTP code is automatically requested again when connecting from a different country.
What doesn't trigger an alert
- Same country, different IP address (network change, 4G → WiFi, etc.)
- Connections from local addresses (internal network, development)
If you receive an alert email and you're not the source of this connection, immediately change your password via the link in the email.
Connection History and Security Page
The My Account → Security page centralizes all your account's security information:
MFA Status
- If MFA is active: activation date, number of remaining recovery codes, link to management
- If MFA is inactive: invitation to activate it with direct link
Connection History
Displays the last 50 connections to your account with:
Column | Detail |
|---|---|
Date | Date and time of the connection |
Country | Country detected via IP address |
IP Address | IP used during the connection |
Browser | Browser user-agent |
⚠️ | Connection from an unusual country |
🔒 | MFA code verified during this connection |
Password Change
When you change your password from My Profile, several security actions are triggered automatically:
- All other active sessions are invalidated - anyone connected to your account on another device is immediately logged out
- Trust for all MFA devices is revoked - the TOTP code will be requested again on all devices at the next login, even those previously remembered
Protection Against Brute Force Attacks
In addition to MFA, Fotostudio automatically limits login attempts:
Entry Point | Limit |
|---|---|
Login page (per IP) | 5 attempts per minute |
Login page (per email) | 10 attempts per 10 minutes |
MFA code | 5 attempts per 5 minutes |
Password reset | 10 attempts per 10 minutes |
Beyond these limits, access is temporarily blocked.
If you get a message saying your account is locked when you try to log in, you must wait 1 hour for it to unlock automatically or contact support to have them unlock it instantly.
FAQ
Q: My TOTP code isn't accepted.
Check that your phone's time is properly synchronized automatically. A clock desynchronization prevents code validation. If the problem persists, use a recovery code and reactivate MFA.
Q: I lost my phone and I don't have my recovery codes anymore.
Contact Fotostudio support. Identity verification will be necessary to disable MFA on your account.
Q: I receive an alert email at each login even though I'm logging in from home.
Your internet provider might be changing your IP address regularly (dynamic IP). If the country remains the same, no email is sent. If you use a VPN, the detected country may vary depending on the VPN server used.
Q: Is MFA mandatory?
No, it's optional. But we strongly recommend it, especially if your account contains client data, billing information, or linked bank access.
Updated on: 18/06/2026
Thank you!