Set up two-factor authentication
Two-factor authentication (2FA) adds a second sign-in step: a time-based one-time password (TOTP) from an authenticator app on your phone. Even if your password leaks, an attacker still needs the rotating 6-digit code to reach your account.
:::note Before you begin
You need a signed-in account on the workspace and an authenticator app on your phone.
Any TOTP-compatible app works — Google Authenticator, Authy, 1Password, or Microsoft
Authenticator. No admin role is required; every user can enrol their own account. Open
the screen from the My portal under My profile → Two-factor authentication, or
go straight to /my/profile/two-factor.
:::
How the screen reports its state
The Authenticator app (TOTP) card shows one of three states, with a matching badge in the card header.
| State | Badge | What you see |
|---|---|---|
| Not configured | Not configured (slate) | A short explainer and an Enable two-factor button. |
| Pending confirmation | Pending confirmation (amber) | A QR code, the secret to copy, and a 6-digit code field. A secret has been minted but you haven't confirmed it yet. |
| Enabled | Enabled (emerald) | The date you confirmed, a Regenerate recovery codes button, and a collapsed Disable two-factor section. |
A pending enrolment does not protect your account and does not block password sign-in. Two-factor is only active once you complete the confirmation step below and the badge turns Enabled.
Enable two-factor
To turn on TOTP two-factor:
- In the My portal sidebar, select My profile.
- In the Two-factor authentication card, select Set up two-factor (or Enable two-factor on the management screen). The card switches to the Pending confirmation state and shows a QR code.
- Open your authenticator app and scan the QR code under Step 1. If your camera struggles, select Copy next to the secret and paste it into the app's manual-entry option instead.
- Under Step 2, enter the current 6-digit code your app generates.
- Select Confirm and enable.
A green confirmation appears — Two-factor authentication is now active. Save your recovery codes — they're shown once. — and your recovery codes are displayed immediately. Save them before leaving the page (see Save your recovery codes).
The code rotates every 30 seconds. The server accepts the current code plus the one immediately before and after it, so roughly a minute of clock drift between your phone and the server is tolerated. If a code is rejected, wait for the next one and try again.
If you reload the page or navigate away during the Pending confirmation state without confirming, the pending secret is discarded. Select Enable two-factor again to mint a fresh QR code and start over.
Save your recovery codes
After you confirm enrolment — and again whenever you regenerate them — a list of recovery
codes appears in an amber Save these recovery codes — shown ONCE panel. Each code is
formatted XXXX-XXXX so it's unambiguous to type from a printout.
| Property | Value |
|---|---|
| Number of codes | 8 |
| Format | XXXX-XXXX (uppercase) |
| Use | Each code signs you in once if you lose your authenticator app |
| Lifetime | Single-use — a code is invalidated the moment it's used |
| Visibility | Shown once, at enrolment or regeneration; never displayed again |
Select Copy all codes to copy the full set, then store them in a password manager or print them. The same panel never reappears, so capture them now.
Recovery codes are shown once and cannot be retrieved later. If you lose them, select Regenerate recovery codes to issue a fresh set — this immediately invalidates the old set.
Sign in with two-factor
Once two-factor is active, every sign-in adds a verification step after your password is accepted. The challenge page (Two-factor verification — Password accepted. Enter your code to continue.) offers two ways to pass.
| Method | When to use | What to enter |
|---|---|---|
| Authenticator code | Normal sign-in | The current 6-digit code from your app, then Verify and sign in |
| Recovery code | You don't have your phone | Select Lost your phone? Use a recovery code, enter one XXXX-XXXX code, then Use recovery code |
Selecting Sign in as a different user cancels the challenge and returns you to the login screen.
Using a recovery code consumes it permanently. After signing in this way, open My profile → Two-factor authentication and select Regenerate recovery codes to replace the set if you're running low.
Regenerate recovery codes
Issue a fresh set if you've used several codes or suspect the old ones are exposed.
- Open My profile → Two-factor authentication (the card must show Enabled).
- Select Regenerate recovery codes.
- Confirm the prompt — Generate new recovery codes? Old codes will stop working immediately.
A new 8-code panel appears. The previous codes stop working at once, so re-save the new set.
Disable two-factor
Turning off two-factor removes the second sign-in step and makes your account easier to compromise. Disabling requires your current password as a confirmation.
- Open My profile → Two-factor authentication.
- Expand the rose Disable two-factor section.
- Enter your Current password.
- Select Disable two-factor.
The card returns to the Not configured state and a confirmation appears.
If your organisation requires two-factor (see below), disabling it sends you straight back to this setup page on your next request until you enrol again. You can't sign out of the requirement.
When your organisation requires two-factor
An administrator can make two-factor mandatory from Admin → Settings → Security with either of two policy levers:
| Setting | Who it applies to |
|---|---|
| Require MFA for everyone | Every signed-in user in the workspace |
| Require MFA for admins | Administrator, IT administrator, and super-administrator roles |
If a policy applies to you and you haven't enrolled, the workspace redirects every page you open to My profile → Two-factor authentication with the message Two-factor authentication is required by your organisation. Set it up to continue. You can still reach the enrolment steps, sign out, and complete the login challenge — but normal navigation stays blocked until the card shows Enabled.
Troubleshooting
| Symptom | What to do |
|---|---|
| The QR code won't scan | Select Copy next to the secret under Step 1 and paste it into your app's manual-entry option. The secret and QR produce the same account. |
| Your code is rejected with That code did not match | Wait for the next code your app generates and enter it. Codes are time-based, so a stale code or a clock more than ~1 minute off the server will fail. |
| No pending enrollment. Click "Enable" to start over appears on confirm | The pending secret expired because you reloaded or navigated away. Select Enable two-factor to mint a fresh QR code. |
| You lost your phone and can't get a code | On the sign-in challenge, select Lost your phone? Use a recovery code and enter one of your saved XXXX-XXXX codes. |
| You've used most of your recovery codes | Sign in, open My profile → Two-factor authentication, and select Regenerate recovery codes to issue a fresh set of 8. |
| Password did not match. Two-factor remains enabled. when disabling | Re-enter your current account password. Disabling is intentionally gated behind a password check. |
| Every page keeps redirecting you to this setup screen | Your organisation requires two-factor. Complete enrolment so the card shows Enabled, then navigation is unblocked. |