Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.vast.ai/llms.txt

Use this file to discover all available pages before exploring further.

Two-factor authentication (2FA) adds a second layer of security to your account. After entering your password, you verify your identity using a code from your phone or email. This means an attacker who obtains your password still cannot access your account without the second factor.

Supported Methods

To use 2FA, you must first configure at least one Authenticator App or SMS method. Email is a backup verification method — it is used automatically when you set up your first 2FA method (since you have nothing else to verify with at that point), but it is never auto-triggered at login. You can still explicitly pick email at the verification prompt if you need to.
  • Authenticator App (Recommended) — Generate time-based one-time passwords (TOTP) using an app like Google Authenticator, Authy, or Microsoft Authenticator. Set this up in Account Settings.
  • SMS — A 6-digit code is sent to your mobile phone. Set this up in Account Settings.
  • Email — A 6-digit code is sent to your registered email address. Used automatically as the verification channel when you are setting up your first 2FA method. Once you have an Authenticator App or SMS method configured, email is no longer the default — it won’t be auto-triggered at login or other operations — but it remains available as an explicit option in the verification prompt if you choose it.

Setting Up Two-Factor Authentication

Setting Up SMS

Setting up SMS 2FA takes about 2 minutes for the first time. If you already have a 2FA method configured and you are adding SMS as a second method, the verification step uses your existing method instead of email (see “Adding additional methods” below). You need:
  • A verified email address on your account
  • A mobile phone that can receive SMS messages

Steps (first 2FA method)

  1. Go to Account Settings — Open Account Settings and navigate to the Security section. Click Enable Two-Factor Authentication.
  2. Verify your identity — Because you are adding a security method, vast.ai needs to confirm it is you. For your first 2FA method, a verification code is sent to your registered email address (since no other method exists yet to verify with). Enter the code when prompted.
  3. Choose SMS as your method — Select SMS from the list of available methods and click Continue.
  4. Enter your phone number — Select your country code and enter your mobile phone number. Click Send Code — a 6-digit code is sent to your phone via SMS.
  5. Enter the verification code — Enter the 6-digit code from the SMS message. The code is valid for 10 minutes. Click Verify to activate 2FA.
Once verified, your SMS method is active and you receive a set of recovery codes. Save these recovery codes somewhere safe — they are the only way to access your account if you lose access to your phone.

Setting Up an Authenticator App (TOTP)

TOTP 2FA generates time-based one-time passwords in an authenticator app. You need:
  • A verified email address on your account
  • An authenticator app (Google Authenticator, Authy, Microsoft Authenticator, or similar)

Steps (first 2FA method)

  1. Go to Account Settings — Open Account Settings and navigate to the Security section. Click Enable Two-Factor Authentication.
  2. Verify your identity — For your first 2FA method, a verification code is sent to your registered email address. Enter the code when prompted.
  3. Choose Authenticator App — Select Authenticator App (Recommended) from the list of available methods and click Continue.
  4. Scan the QR code — Open your authenticator app and scan the QR code displayed on screen. If you cannot scan the QR code, enter the setup key manually.
  5. Enter the verification code — Enter the 6-digit code from your authenticator app. Click Verify to activate TOTP 2FA.
Once verified, your authenticator app method is active and you receive a set of recovery codes. Save these recovery codes somewhere safe.

Adding additional methods

After your first method is active, you can add more (e.g., add SMS as a second method when you already have TOTP). The flow is the same as above, except for the “Verify your identity” step: instead of sending an email code, you are prompted to select an existing verification method — Authenticator App code, SMS code, or a recovery code. Email isn’t the default verification channel once you have other methods configured — vast.ai prompts you to use one of your existing methods. Email may still be available as an explicit option in the verification prompt, but it isn’t sent automatically.

Logging In with 2FA

When you sign in, after entering your password, the verification prompt asks for a 2FA code. Pick one of the following methods to verify with:
  • Authenticator App — open your authenticator app and enter the current 6-digit code.
  • SMS — a 6-digit code is sent to your phone; enter it in the prompt. If you did not receive it, click Resend after 30 seconds.
  • Email — explicitly select email at the prompt; a 6-digit code is sent to your registered address.
  • Recovery code — enter one of your saved recovery codes (use this if your phone or authenticator app is unavailable).
Note: Email 2FA is not auto-triggered at login — the default prompt asks for an Authenticator App or SMS code. To enable 2FA in the first place you must configure an Authenticator App or SMS method; email is used automatically only for the first 2FA method’s verification step. After that, email remains available as an explicit option in the login verification prompt if you choose it manually.

Recovery Codes

When you first set up 2FA, you receive 10 one-time recovery codes. Each code can only be used once. Use a recovery code on the login screen when you cannot receive SMS codes, TOTP codes, or email codes (for example, if your phone is lost or your email is inaccessible). Enter it in place of the 6-digit code. Once you have used a recovery code, it cannot be reused. You can generate a fresh set of 10 codes at any time from Account Settings → Security → Regenerate. Generating new codes invalidates all previously issued codes.

Troubleshooting

I did not receive my SMS code.
  • Wait up to 30 seconds, then click Resend.
  • Check that the phone number on file is correct.
  • Make sure your phone has signal and is not blocking messages from unknown numbers.
  • If the problem continues, contact support@vast.ai.
My code says it is expired. Codes are valid for 10 minutes. If more than 10 minutes have passed since the code was sent, start the login process again to generate a fresh code. My TOTP code is not accepted.
  • Ensure your device clock is synchronized (TOTP codes depend on accurate time).
  • Make sure you are scanning the correct QR code or entering the correct setup key.
  • If the problem continues, remove and re-add the account in your authenticator app.
I am locked out after too many failed attempts. After 3 failed SMS code attempts or 5 failed TOTP code attempts, the specific 2FA method is locked for 15 minutes — not your whole account. If you have multiple 2FA methods configured, you can switch to a different one to log in (e.g., switch from SMS to Authenticator App, or use a recovery code). The lockout applies per-method, so other methods on the account remain available. I have lost access to my phone and do not have recovery codes. Contact support@vast.ai with your account email. The support team can verify your identity and assist with 2FA recovery. I see a message about migrating my 2FA. Some accounts use a legacy SMS 2FA setup. If you see a banner in Account Settings asking you to migrate, click Regenerate Recovery Codes and follow the steps. This migrates your account to the current 2FA system and generates your recovery codes.

Removing Two-Factor Authentication

To remove a 2FA method, go to Account Settings → Security. Find the method you want to remove and click the remove icon. You are asked to verify using an existing 2FA method or recovery code before the method is deleted. If you remove all 2FA methods, 2FA is fully disabled on your account.