# MFA

{% hint style="info" %}
This feature is available in the **Essential plan and higher**.
{% endhint %}

You may set up MFA for your account in [Control Panel > Account (top right corner) > Security](https://account.goodaccess.com/security-settings/).

By enabling MFA you will be prompted to enter a security code from an TOTP-based authentication app (e.g. [Google Authenticator](https://support.google.com/accounts/answer/1066447?hl=en), [Microsoft Authenticator](https://www.microsoft.com/en-us/account/authenticator), [Authy](https://authy.com/download/) or [1Password](https://support.1password.com/one-time-passwords/)) every time you log in.

## Backup Codes

When setting up MFA, a set of backup codes will be automatically generated for you.

These are one-time codes that can be used if you lose access to your primary MFA device, ensuring you can always securely regain access to your account.

Each backup code can only be used once. You can regenerate these codes at any time, which will invalidate any previously generated codes to maintain security.

If you use a backup code to log in, you can disable MFA using your password. The option to regenerate backup codes will be disabled until a new MFA is set up or until logging in with your current MFA.

{% hint style="danger" %}
Protect your backup codes as if they were passwords.
{% endhint %}

## Managing Team MFA

You may manage Team MFA in [Control Panel > Settings > MFA & Login Security](https://app.goodaccess.com/mfa-and-login-security/).

Once enabled, Team Admins or Members will be forced to use MFA while logging in to the Control Panel, Client Application, or both, depending on your configuration.

## Step-Up Authentication via API

For advanced security workflows, you can trigger **Step-Up Authentication** by interrupting a user's active session via a **Disconnect** [API endpoint](https://support.goodaccess.com/configuration-guides/api-integration/api-reference/members#post-api-v1-member-teammemberid-disconnect). This forces the user to re-authenticate as soon as the application attempts to reconnect.

**Use Cases**:

* **Automated Security Response**: Integrate with your **SIEM/SOC** to automatically terminate sessions when a high-risk event (e.g., login from an unusual country) is detected.
* **Contextual Security**: Enforce a fresh MFA challenge during a device posture change or for periodic security re-verification of highly sensitive resources.

To make this effective, you must ensure that the user cannot reconnect automatically without an MFA challenge. In the [Control Panel > Settings > MFA & Login Security](https://app.goodaccess.com/mfa-and-login-security/), you must have at least one of the following connection policies enabled:

* **TOTP Prior Connection**: The user will be prompted to enter a 6-digit code from their authenticator app before the connection is established.
* **PIN & Biometrics Prior Connection**: The user must unlock the connection attempt using their device’s biometrics (TouchID/FaceID/Windows Hello) or the application PIN.

{% hint style="danger" %}
**Warning**: If neither of these options is enabled, the client application may attempt to restore the connection automatically, which would bypass the Step-Up Authentication intent.
{% endhint %}

## Reset of MFA

To reset your MFA, ask your Team Admin or [contact our technical support](https://www.goodaccess.com/contact).

Team Admin can reset user's MFA in [Control Panel > Members > Edit button of the Member](https://app.goodaccess.com/team-members/). This action is not performed immediately but requires the user to take action upon receiving an email and precisely navigate to setting up a new MFA; the old MFA is invalidated after the new one is set up.