MFA
Multi-factor authentication (MFA) is an access control technique that requires a user to provide one or more additional proofs of identity on top of the password and username.
This feature is available in the Essential plan and higher.
You may set up MFA for your account in Control Panel > Account (top right corner) > Security.
By enabling MFA you will be prompted to enter a security code from an TOTP-based authentication app (e.g. Google Authenticator, Microsoft Authenticator, Authy or 1Password) every time you log in.
Backup Codes
When setting up MFA, a set of backup codes will be automatically generated for you.
These are one-time codes that can be used if you lose access to your primary MFA device, ensuring you can always securely regain access to your account.
Each backup code can only be used once. You can regenerate these codes at any time, which will invalidate any previously generated codes to maintain security.
If you use a backup code to log in, you can disable MFA using your password. The option to regenerate backup codes will be disabled until a new MFA is set up or until logging in with your current MFA.
Protect your backup codes as if they were passwords.
Managing Team MFA
You may manage Team MFA in Control Panel > Settings > MFA & Login Security.
Once enabled, Team Admins or Members will be forced to use MFA while logging in to the Control Panel, Client Application, or both, depending on your configuration.
Step-Up Authentication via API
For advanced security workflows, you can trigger Step-Up Authentication by interrupting a user's active session via a Disconnect API endpoint. This forces the user to re-authenticate as soon as the application attempts to reconnect.
Use Cases:
Automated Security Response: Integrate with your SIEM/SOC to automatically terminate sessions when a high-risk event (e.g., login from an unusual country) is detected.
Contextual Security: Enforce a fresh MFA challenge during a device posture change or for periodic security re-verification of highly sensitive resources.
To make this effective, you must ensure that the user cannot reconnect automatically without an MFA challenge. In the Control Panel > Settings > MFA & Login Security, you must have at least one of the following connection policies enabled:
TOTP Prior Connection: The user will be prompted to enter a 6-digit code from their authenticator app before the connection is established.
PIN & Biometrics Prior Connection: The user must unlock the connection attempt using their device’s biometrics (TouchID/FaceID/Windows Hello) or the application PIN.
Warning: If neither of these options is enabled, the client application may attempt to restore the connection automatically, which would bypass the Step-Up Authentication intent.
Reset of MFA
To reset your MFA, ask your Team Admin or contact our technical support.
Team Admin can reset user's MFA in Control Panel > Members > Edit button of the Member. This action is not performed immediately but requires the user to take action upon receiving an email and precisely navigate to setting up a new MFA; the old MFA is invalidated after the new one is set up.
Last updated
Was this helpful?