ValidEmailChecker

Can I have both authenticator-app AND email-code 2FA enabled at the same time?

Last updated May 20, 2026Account & security

Yes — Valid Email Checker treats authenticator-app 2FA and email 2FA as two independent toggles inside Account Settings, Security tab. You can have one on, the other on, or both on at the same time. The Two-Factor Authentication section lists each as a separate card with its own Enable/Disable button, and the user_2fa_settings table backing the UI has two booleans (google_authenticator_enabled and email_2fa_enabled) that flip independently.

What "both enabled" actually means at sign-in

When both methods are on, the verification prompt that appears after a successful password check defaults to whichever method you set as preferred — usually the authenticator app, because TOTP is the stronger primary. Underneath the 6-digit input is a Use Email Instead link. Click it and the prompt pivots: a fresh email code is dispatched to your account address and the input now expects that code instead. You can swap back and forth between the two before submitting.

Why dual-enable is worth the 60 seconds

  • Phone unreachable — battery dead, phone left at home, work-trip without it. With email-only fallback, your account email is reachable from any browser.
  • App-data lost — you reset your phone or upgraded to a new device without exporting the authenticator entries. Email 2FA bridges the gap until you re-set-up TOTP.
  • Travel and intermittent connectivity — TOTP works offline but you might still want an alternate channel when timestamps drift or your phone clock is unreliable.

Failure modes to know about

Both methods running in parallel does NOT mean both are required at sign-in. Either code (a TOTP from your app OR an email code) is sufficient. Anyone who controls your email AND your password could sign in without ever touching your authenticator app, so email 2FA is structurally weaker than TOTP. The compounding security comes from having an alternate way back in if one channel breaks, not from forcing both at every login.

Recommended configuration
Authenticator app as primary, email 2FA on as a backup, backup codes saved in a password manager. That triple covers phone loss, email outage, and authenticator-app loss without ever needing a manual support ticket.

If you want to flip which method is primary, see how do I switch from email to authenticator 2FA for the full procedure.

Related questions

How do I enable two-factor authentication (2FA) on my account?
Authenticator app vs. email codes for 2FA — which should I use?
How do I switch from email 2FA to authenticator-app 2FA?
Where do I find my 2FA backup codes again after the initial setup?
Back to all FAQs

Still stuck? Email support