Two-factor authentication
Lock down your account
One minute now spares you a very bad day later. Goldenhour holds your client list, payment history, and the SMS sending privileges that protect your sender reputation : all stuff you don’t want a stranger getting into.
Why TOTP, not SMS
Three reasons we steer you toward authenticator apps (TOTP) over text-message codes:
- SIM-swap immunity.A determined attacker can social-engineer your carrier into porting your number to their SIM. TOTP codes live in your phone’s secure enclave; they don’t travel the network.
- Free + reliable.No SMS delivery delays, no roaming-charge surprise, no “text didn’t arrive” at the worst moment.
- Recoverable if you lose access. The 10 recovery codes you save during setup mean a lost phone isn’t a permanent lockout.
4-step setup
One minute, lasts forever
1. Install an authenticator app
1Password (best), or any of: Google Authenticator, Authy, Microsoft Authenticator, Apple Passwords (iOS 18+). Install on your phone + sign in.
2. Scan the QR code
In goldenhour: Settings → Security → Enable 2FA. Open your authenticator → “Add account” → scan the QR. The app immediately starts showing 6-digit codes that rotate every 30 seconds.
3. Verify with a current code
Type the 6 digits currently shown in your app. This confirms the QR scan worked + activates 2FA on your account.
4. Save your 10 recovery codes
Goldenhour shows you a one-time list of 10 single-use recovery codes. Save these NOW. If you lose your phone, these are your only path back into the account without a video-call identity verification.
Recommended: store in 1Password under your goldenhour account, or print + put in a safe. Don’t put them in a Notes app that’s synced to the same iCloud as the device you lose.
If you get locked out
Three recovery paths, in order
- 1.Use a recovery code. Enter one of the 10 codes you saved. Single-use; goldenhour marks it consumed after.
- 2.Authenticator backup restore. If you use 1Password / Authy / Apple Passwords, your TOTP secrets are synced to your account. Reinstall the app on a new phone, sign in, the codes come back. No goldenhour interaction required.
- 3.Contact support. Email
support@goldenhourhq.comfrom the email address tied to your account. We reply within 12 hours with a video-call link to verify identity (we want to see your face + the ID you signed up with). 2FA reset takes ~10 minutes once we connect.
FAQ
- Is two-factor authentication required?
- Strongly recommended. Goldenhour holds your client list, payment history, and the keys to your booking page; a compromised account could send mass-spam SMS to your customers and damage your sender reputation for years. We don't force it on, but you should turn it on.
- What authenticator apps work?
- Any TOTP-compatible app. Recommended: 1Password, Google Authenticator, Authy, Apple's built-in Passwords app (iOS 18+), Microsoft Authenticator. The QR code we show you works with all of them.
- What if I lose my phone?
- Use one of the 10 single-use recovery codes you saved during setup. (You DID save them, right?) If you didn't, email support@goldenhourhq.com from the email tied to your account and we'll verify identity via a video call before resetting 2FA.
- Why TOTP instead of SMS 2FA?
- SMS 2FA is vulnerable to SIM swap attacks. For a business account holding payment data, TOTP (app-based, never travels over a network you don't control) is meaningfully more secure. The setup is one minute extra and lasts forever.