Sign In and Account Security
SyncTV can enable several sign-in methods. The methods shown in the UI depend on administrator configuration.
Sign-In Methods
Section titled “Sign-In Methods”| Method | Requires | Good for |
|---|---|---|
| OPAQUE password login | Local password | Public client local password login without storing direct password-verifier equivalents |
| Direct password login | Username or email and password | Restricted environments where an OPAQUE client is unavailable while the server still stores and verifies OPAQUE credentials |
| Passkey/WebAuthn | Browser, OS account, or security key | Passwordless sign-in or second factor |
| Email code | A reachable verified email address | Sign-in, verification, recovery, or MFA |
| OAuth2/OIDC | Third-party account | GitHub, Google, Logto, or generic OIDC |
Before Enabling 2FA
Section titled “Before Enabling 2FA”Make sure you have at least two local verification methods: local password, passkey/WebAuthn, or verified email. OAuth2 does not count as a local 2FA factor.
When a Second Factor Is Required
Section titled “When a Second Factor Is Required”- Complete the first factor: OPAQUE password login, direct password login, passkey, email sign-in, or OAuth2.
- If SyncTV asks for 2FA, choose one of the available second factors.
- Complete email code or passkey/WebAuthn.
- After signing in, confirm that at least two local verification methods remain available.
Public client local password login prefers OPAQUE. Direct password login serves restricted environments where the OPAQUE exchange is unavailable; the server immediately creates or verifies OPAQUE credentials from the submitted password.
Account Issues
Section titled “Account Issues”| Symptom | Check first |
|---|---|
| Password login fails | Username, password, account ban, 2FA requirement |
| Email code does not arrive | Address, spam folder, verified email, SMTP availability |
| OAuth2 callback does not sign in | Registration review, existing binding, callback URL |
| Passkey is unavailable | Browser, OS account, security key, current domain |
| 2FA blocks access | Whether two local verification methods still exist |
When reporting a problem, include time, username, sign-in method, error text, and requestId. Do not send passwords, tokens, cookies, OAuth2 codes, or verification codes.