Account Security – Two-Factor Authentication and Passkeys#

You can secure your Mergado account beyond just a password. In the Security section, you will find three tools: two-factor authentication via an authenticator app, backup codes for emergency access, and passkeys for passwordless sign-in.

1. Two-Factor Authentication (2FA)#

Two-factor authentication adds a second step to the standard sign-in process — after entering your password, you will be prompted to enter a one-time code from an authenticator app on your phone. Even if someone obtains your password, they cannot access your account without your phone.

How to enable 2FA#

  1. Go to the Security section in your Mergado account.
  2. In the Authenticator app section, click Enable.
  3. Scan the displayed QR code with your authenticator app (e.g. Google Authenticator, Authy, or Microsoft Authenticator).
  4. Enter the six-digit code generated by the app into the Authenticator code field and click Enable.
  5. After successful activation, the system automatically generates a set of backup codes — save them in a safe place.

Tip: You can also save the secret key displayed below the QR code. It allows you to set up the authenticator app again even without access to your original device.

Trusted device#

After successfully signing in with 2FA, the system offers you the option to Trust this browser for 1 month. On a trusted device, you will not need to enter the verification code every time you sign in. Do not use this option on public or shared computers.

Backup codes#

Backup codes serve as an emergency alternative if you lose access to your phone or authenticator app. Each code can only be used once.

The system generates backup codes automatically when you activate 2FA. You can manage them (view, download, or generate a new set) at any time in the Security section.

Important: Save your backup codes in a safe place immediately after they are generated. If you lose access to both your authenticator app and backup codes, you will need to contact support to recover your account.

How to disable 2FA#

In the Security section, click Disable next to the Authenticator app. You will be asked to confirm with the current code from the app.

2. Passkeys and Security Keys#

A passkey lets you sign in to Mergado without entering a password. Instead, you use biometrics (fingerprint, face recognition), a PIN, or a security key.

How to add a passkey#

  1. Go to the Security section in your Mergado account.
  2. In the Passkeys and security keys section, click Add passkey.
  3. Follow the instructions from your device or browser.

Once added, the passkey appears in the list and you can use it to sign in directly — no password needed.

Brute-Force Protection#

Mergado automatically protects your account against brute-force attacks. If someone repeatedly enters the wrong password, the system gradually increases the waiting time between further attempts. After a large number of failed attempts, sign-in may be temporarily blocked.

If you see a message about a suspended sign-in, wait for the displayed time and try again. If you have forgotten your password, use the password recovery link on the sign-in page.

This protection runs in the background automatically and requires no configuration on your part.

FAQ#

Is 2FA mandatory?#

No, two-factor authentication is optional. We do recommend enabling it, especially if you have access to multiple online stores in Mergado or manage client accounts.

Can I have 2FA set up on multiple devices?#

Yes. If you save the secret key displayed below the QR code during setup, you can use it not only to set up the authenticator app again on the same phone, but also to configure it on other devices. This way, you can access the same 2FA codes from multiple devices.

Can I have multiple passkeys?#

Yes, you can add multiple passkeys — for example, for different devices. You can view and remove each one in the Security section.

What happens if I lose my phone with the authenticator app?#

Sign in using one of your backup codes. After signing in, we recommend deactivating 2FA in the Security section and setting it up again on your new device, or generating a new set of backup codes.

How do I know if 2FA is enabled on my account?#

In the Security section, the Authenticator app will show a status of active and a red Disable button.

Why does the system say my sign-in is suspended?#

The system automatically limits the number of failed sign-in attempts and gradually increases the waiting time. In extreme cases, sign-in may be temporarily blocked. Wait for the displayed time and try again. If you have forgotten your password, use the password recovery link on the sign-in page.

Was this article helpful?