Two-Factor Authentication

Overview

XLogin supports TOTP (Time-based One-Time Password), compatible with Google Authenticator, Authy, Microsoft Authenticator, and any TOTP app.

Enable it in config:

two-factor:
  enabled: true

Setup Flow

  1. Player runs /2fa setup. XLogin generates a random TOTP secret (Base32 encoded).
  2. Player adds the secret to their authenticator app.
  3. Player runs /2fa <code> with the 6-digit code from the app.
  4. If valid, 2FA is enabled on the account.

Login with 2FA

After entering the correct password with /login, the player is prompted to enter their 2FA code:

/2fa <code>

The code is validated against the stored secret using HMAC-SHA1 with a ±30 second tolerance window (checks time-1, time, and time+1).

Disabling 2FA

/2fa disable

Must be authenticated. Removes the secret from the database.

Premium players bypass 2FA entirely — the Mojang handshake is already cryptographic proof of identity.

Premium Auto-LoginEmail Recovery