Two-Factor Authentication
Quick Start
Are you already familiar with 2FA? Log in to your VRChat account, click "Edit Profile," scroll down to "Two-Factor Authentication," and follow the instructions.
For more step-by-step instructions, continue reading.
If you lost access to your authenticator, read this.
What is Two-Factor Authentication?
Having a username and password is good, but sometimes it's not enough security. Attackers can still guess your password, steal your password, or trick you into revealing your password.
Two-Factor Authentication helps protect your account with an extra login step. After your username and password, you'll enter in a secret code, generated by an app that you can run on your phone or other device.
Nobody else has your device, so you can be sure that no one else can log in, even if they steal your password! The downside is that you'll need that device nearby to log in.
Keep your password strong and unique!
Two-Factor Authentication helps keep your account secure, but you should always ensure you are using a strong password that you don't use anywhere else on the internet. This is good practice for all services! Consider using a password manager.
Who can use Two-Factor Authentication?
VRChat's Two-Factor Authentication is for users who are registered with VRChat accounts.
In other words, not Oculus ID users, not Steam ID users, and not Viveport users. If you use one of those other methods of logging in, and you want to use Two-Factor authentication, see the respective sites for Oculus ID users, Steam ID users, or Viveport users.
Set up Two-Factor Authentication
In a web browser, go to the VRChat website and login to your account.
Once you've logged in, click on the "Edit Profile" button at the top left.
Scroll down to the "Two-Factor Authentication" section, and click "Enable".
Step 1: Download an authenticator app
Authy is good Two-Factor Authentication app and you can run it on your phone or your desktop computer. In addition, Authy permits you to back up your accounts to their cloud using an encryption password only you know, so your 2FA codes are safe. If you're worried about swapping devices or losing your phone, this is probably the best app to use.
Click "Next >" to go to the next step.
Step 2: Add your VRChat account to your authenticator app
If you're browsing the website with a desktop PC, and using Google Authenticator, it's very easy.
- Open Authy.
- Tap the "..." in the top-right to add a new site.
- Tap "Scan QR code" and scan the barcode shown.
The authenticator will add VRChat to its list of sites. It should show "VRChat", a six-digit code, and your username's email address. The code will change every 30 seconds.
If you can't scan the barcode — maybe you're browsing on your phone — click the link to "enter the key manually". A text key will appear, a long series of letters and numbers. Copy the whole thing. Then switch to Google Authenticator, and follow the same instructions as above, but instead of "Scan barcode", press "Enter manually". Then paste the key.
On the VRChat website, click "Next >" to go to the next step.
Step 3: Verify yourself with the authenticator app code
Enter the 6-digit code from your authenticator app for your VRChat account into the dialog box on the website and click on the "Verify" button.
It's not working!
Check that
- the code hasn't already changed. It changes every 30 seconds.
- you typed the code correctly
If you can't get this to work, don't worry. Your username and password still works as it did before. You can press the grey Cancel button to give up.
It worked!
If everything was successful you will see a message saying "You are protecting your account with an additional login step."
From now on, whenever you are logging in, VRChat may ask you for authenticator app code — especially if it's been a while since you entered a code, or if it looks like you are logging in from a new location.
On this screen, you'll also see some information about recovery codes. If you ever lose or damage your phone, or otherwise can't get those app codes, the recovery codes can help you log in.
We strongly recommend you download the recovery codes and store them somewhere secure. You might have to provide another Two-Factor Authentication code to download or view the recovery codes. For more on how to use those codes, see the section "Help, I lost access to my authenticator app".
RISK OF ACCOUNT LOSS
Seriously, download your recovery codes and keep them safe. Don't have your only copy on a device you might lose, or the same device you use for authentication-- like your phone. If you lose your phone, you've just lost your authentication method and your backup codes.
DOWNLOAD YOUR RECOVERY CODES AND KEEP THEM SAFE. IF YOU DO NOT, YOU MAY PERMANENTLY LOSE ACCESS TO YOUR ACCOUNT. If I could make that look scarier, I would. This risk is part of what makes 2FA secure.
How to log into VRChat with your Authenticator App
VRChat Client
After giving your username and password, you will be prompted to enter a 6-digit authentication code from your authenticator app.
Open your authenticator app to obtain the 6-digit code for your VRChat account. Click on the field that says "Enter code here...". A keypad like this will appear.
Check your authenticator app for the current code. Enter the code and press "OK".
Next, press the "Verify" button next to the code entry field.
If the code doesn't work, you'll see a message like this. Click OK to try again.
Check if you mistyped the code, or if the code changed. It changes every 30 seconds.
Website
After giving your username and password, you will be prompted to enter a 6-digit authentication code from your authenticator app.
Developer SDK
This is for developers only.
After giving your username and password, you will be prompted to enter a 6-digit authentication code from your authenticator app.
Help, I lost access to my authenticator app!
If you lose the device with the authenticator app, or its data is deleted, you can still log into VRChat with a recovery code. (Remember when we told you to keep them safe?)
First, find those recovery codes! It should look something like this:
Then, login to the VRChat website with your username and password. When you get to the Two-Factor Authentication screen, click on "Use a recovery code instead".
Find one of your recovery codes, and type it into the form.
If it's successful, on your recovery codes document, remove or cross out the code you used.
You should now be logged into VRChat.
The next step depends on you.
If you think you can get that authenticator app back up and running soon, you can just log into VRChat normally with a recovery code. But be careful, you only have ten recovery codes! Skip to logging into the VRChat Client with a recovery code.
If you think you might have lost your authenticator app or its data permanently, disable your Two-Factor Authentication. Then you can start fresh, and set up Two-Factor Authentication again.
Logging into the VRChat Client with a recovery code
This shouldn't be your usual method of logging in; remember that you can only use each recovery code once!
At the Two-Factor Authentication screen, click on "Use Recovery Code".
And from there it's very similar to logging in with an authenticator app code. Click on "Enter code here..." to get the recovery input screen.
Type your recovery code, and press okay.
Finally, press the verify button. You should then be logged into VRChat.
Developer SDK
This is for developers only.
You can also log into the VRChat SDK with a recovery code. This shouldn't be your usual method of logging in; remember that you can only use each recovery code once!
You can simply use the standard Two-Factor Authentication form to enter your recovery code.
Disabling Two-Factor Authentication
Go to "Edit Profile" on the website as before. Scroll down to "Two-Factor Authentication" and click on the "Disable" button.
You might have to verify yourself one more time. You can use a regular authenticator app code or a recovery code.
Important: after you disable Two-Factor Authentication, your old authenticator app codes will no longer work, and neither will your recovery codes. If you re-enable Two-Factor Authentication, you'll have to start from scratch.
Updated 3 months ago