TorTaughtFor the verification flow, the homepage tutorial Step 4 is the canonical reference. Pull the signed timestamp from the login footer, save to file, run gpg --verify, confirm Good signature with fingerprint 0x7F2A0A9D. For the 2FA enrollment, the platform's security panel walks through it after first login: paste your public key, the platform encrypts a one-time code under it on every subsequent login, you decrypt locally with gpg --decrypt.
The 2FA enrollment is 90 seconds and converts a credential-stuffing attack from “guess one password” to “guess one password and steal a private key.” That second condition is what real-world attackers don't routinely meet.
Verified working Nexus Market mirrors
Three v3 onion addresses currently serving the production market, signed under PGP fingerprint 0x7F2A0A9D. Use the Copy button; never retype an address.