To centralise Questions and Answers around Two Factor Authentication! (2FA) with your Homey Account I suggest keeping one topic. This opening post will be updated is necessary. Ask your questions in this Topic!

Athom enabled Two Factor Authentication for Homey Account’s

Q: Where can I enable 2FA?
A: Go to your Account Settings: Mijn account | Homey

Q: I lost my 2FA App/Phone and Can’t Login. (I have no backup of my Authenticator App)
A: contact Athom Support

Q: Is there a backup option for when I lose my Phone or App?
A: No, there is no backup option in the Athom 2FA Account.

• Backup (of TOTP) can be implemented in the Authenticator App
  or
• as simple as screenshotting the QR code and storing in a save place for later install of the TOTP account in your fresh installed Authenticator App on a new phone.

[to be completed]

Reserved for later use

I understand correctly that confirmation is required for new login?

2FA means that logging in with just a username and password isn’t enough anymore but requires an additional “factor” (a time-related unique code).

I understand it.
E.g.
I have two users on one account …
User 1 logged out and logged in. What will happen to user 2 if I don’t logged it out?

Seems easy enough to try out

When you say two user on one account, do you mean you have added a user via the Family settings or that you log in on two devices using the exactley the same details?

If it is the Family option then they will remain logged in (I have just verified that).

If it is the second scenerio then I think they stay logged in but will need the 2FA code if they log out and back in. I say that because when I enabled 2FA via the web site, my phone continued to work and I had to log out and back in to bring up the the 2FA code prompt.

Yes two devices.
My thoughts revolve around “homeydash”

Hmm, not sure about homeydash as I think that uses a different authentiction system.

Q: No backup codes?

Workaround : I would suggest to go via eg. using Android APP Aegis 2FA (free of charge) - https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis&hl=en_US&gl=US, it allows you reveal TOTP seed after you scan your QR setup code, which you can eg. setup in the Keepass (https://keepass.info/) and TOTP Plugin or built-in - so you will have it at least on two places… and even autologon option even when using 2FA, eg. from your laptop/PC.

I use 1Password for 2FA, so I already have the seed safely stored.

https://support.1password.com/one-time-passwords

From what I know, after the first logon to Homeydash, you can retreive a token via homey.ink and that token is used to authenticate.
That token is valid until you change your password.
That is the way to log off, and ‘cripple’ your token.
2FA, if enabled, comes along when you want to log on again @ homey.ink to get a new token for use with homeydash.
I hope I explained it well. Pls correct me if I’m wrong

I changed my password and role (owner to manager) yesterday. Homeydash works

Is it correct that for the developer site we don’t get 2FA?

No you should also have 2FA there because the accounts site is shared. If you already logged in on accounts before you don’t have to do it seperate for each website/application.

So when logging out of developer site AND the my homey app should result in both 2FA login?

Only if you log out from https://accounts.athom.com/ aswell.

Hm, ok. So when staying logged in at the accounts part i need 2FA for my homey app but not for developers?

Correct, Athom uses accounts.athom.com as authentication provider for all their sites
(Like login on at a 3rd party Website with your Google/Facebook/DigiD ID)
but also shares the current status (Probably Cookie) in the same browser environment.
Login in in other browsers or an App requires authentication so a Username, Password and 2nd factor the Time based Code.
This differs slightly between sites with an HomeySelector and sites requiring you to select homey before opening the site and sites without knowledge of your Homey (Community)
Another Browser as with the login in an App requires re-authentication.