Two-Factor Authentication (2FA)
Signing in asks for a second factor on top of the password — a time-based code from an authenticator app. Even if a password falls into the wrong hands, the account stays protected.
For Org Admins 2FA is mandatory. The application forces them through setup on their first sign-in; it cannot be skipped. All other roles may enable 2FA voluntarily.
Setting it up
- Click Account at the bottom of the left menu (page Profile).
- Scroll to Two-factor authentication and click Enable 2FA.
- Scan the QR code with an authenticator app. Proven choices:
- Aegis (Android, open source)
- Google Authenticator, Microsoft Authenticator (Android/iOS)
- the authenticator built into many password managers
- Enter the six-digit code from the app to confirm.
From now on, signing in asks for the password and the current code.
Recovery codes
After setup you receive a list of single-use recovery codes. They get you back into your account if the phone is lost or the app was reinstalled.
Save the codes immediately
The codes are shown exactly once and cannot be retrieved again. Store them right away — in a password manager or printed in a safe. Each code works once.
If you lose the second factor
| Situation | Way out |
|---|---|
| Phone gone, recovery codes at hand | Enter a recovery code instead of the app code, then set 2FA up again from your profile. |
| Phone gone, no codes left | Another Org Admin cannot unlock the account. The operator of the instance has to reset the 2FA record in the database — see Operations. Which is why there should always be at least two Org Admins. |
Two admins
Set up two Org Admin accounts with separate authenticator apps from the start. It costs nothing and saves a database intervention when it matters.
Signing in with 2FA
- Enter email and password.
- Enter the current six-digit code from your authenticator app.
Wrong codes do not lock the account — you can simply try again (the lockout after repeated failures applies to the password only).