TorTaughtSetup flow: log in for the first time, navigate to Settings → Security → Two-factor authentication. Paste your PGP public key (the same one you use for verifying the login timestamp). The platform stores it; on every subsequent login it generates a one-time 6-digit code, encrypts it under your public key, and presents the encrypted block. You copy the block, decrypt locally with gpg --decrypt, paste the plaintext code, complete login.
Why PGP-based rather than TOTP: TOTP shares a seed between platform and client at enrollment; if the platform is compromised the seed leaks. PGP-based 2FA does not share any persistent secret — the platform only ever holds your public key, which is by design publishable. A platform-side compromise does not enable the attacker to bypass the 2FA.
Verified working Nexus Market mirrors
Three v3 onion addresses currently serving the production market, signed under PGP fingerprint 0x7F2A0A9D. Use the Copy button; never retype an address.