Overview

Two-factor authentication (2FA) adds a second step to admin sign-in. After entering a password, the admin confirms a one-time verification code. This protects accounts against stolen or guessed passwords.

Availability: 2FA is available to organization admins on the Enterprise and Ultimate plans. On lower plans, the 2FA settings are locked and display an "Available on Enterprise" notice.

1. Which verification methods are supported?

Two methods are available:

• Authenticator app (recommended): Google Authenticator, Microsoft Authenticator, Authy, 1Password, OneLogin, and any compatible app.
• Text message (SMS): a code sent to a verified phone number.

Each admin uses one active method at a time, either an authenticator app or SMS, not both. Setting up an authenticator app makes it the active method, and the phone option is set aside (it stays on file but is not used). Removing the authenticator app switches SMS back on automatically.

2. How do I set up 2FA on my own admin account?

Go to Settings > Security > Two-Factor Authentication (2FA). You will see a Phone Number section and an Authenticator app section.

Option A: Authenticator app (recommended)

1. Under "Authenticator app," click Set up.
2. Scan the on-screen QR code with your authenticator app, or type in the key shown beneath it.
3. Enter the 6-digit code from the app and click Verify & enable.
4. Save the backup recovery codes you are shown. You can copy or download them. They are shown only once.
5. The authenticator app is now your active method, and the phone section is hidden.

Option B: Text message (SMS)

1. Under "Phone Number," click Add and enter your phone number.
2. We text you a code. Enter it to verify the number.
3. Turn on 2-Step Verification. SMS is now your active method.

Switching methods

To move from SMS to an authenticator app, simply set up the authenticator app and it takes over. To go back to SMS, remove the authenticator app and your phone number is used again, with no need to re-enter it.

3. What are backup recovery codes?

When you set up an authenticator app, you receive 10 one-time backup codes. Each code works once if you ever lose access to your authenticator app. From the 2FA settings, you can download them, copy them, or regenerate a fresh set (regenerating invalidates the old set).

Please note: backup codes come with the authenticator app method. If you only use SMS, your recovery path is to receive a new code by text using the "Resend" option. If an admin loses both their authenticator app and their backup codes, they will need to contact support to regain access, as there is no self-serve reset.

4. What does signing in with 2FA look like?

1. Enter your email and password.
2. You are prompted for a verification code:
   • Authenticator app: open your app and enter the current 6-digit code.
   • SMS: we text you a code, then you enter it (a "Resend" option is available).
   • Backup code: choose "Use a backup code" and enter one of your saved codes.
3. On success, you are signed in.

Access is not granted until the code is verified. The second factor is enforced on our servers, not just in the app.

5. How does an Account Holder require 2FA for the whole organization?

Organization-wide enforcement is controlled only by the Account Holder of the organization, and only on the Enterprise or Ultimate plan. Other admins, and Account Holders on lower plans, do not see this control.

Go to Settings > Security > Two-Factor Authentication (2FA) and scroll to the Organization-wide enforcement section at the bottom. There you will find:

• A toggle to require two-factor authentication for every admin in the organization.
• An Exempt admins list, where the Account Holder can enter specific admin emails (one per line) who are not required to use 2FA.

What happens when enforcement is turned on:

• Admins who already have 2FA set up are simply asked for their code at their next sign-in.
• Admins who do not have 2FA yet are taken through a "Set up two-factor authentication" screen at their next login. They choose an authenticator app or SMS, complete setup, and only then reach the dashboard. Existing active sessions are not interrupted, and the requirement applies on the next sign-in. This is the grace period.
• Newly invited admins in an enforced organization are walked through 2FA setup right after they claim their profile and verify their email, before entering the platform.
• Exempted admins sign in normally without 2FA.

Turning enforcement off stops requiring it. Admins who set up 2FA keep it unless they remove it themselves.

6. How does 2FA work with Single Sign-On (SSO)?

If your organization uses enforced SSO, admins sign in through your identity provider (Microsoft Entra, Google Workspace, and similar), which handles its own multi-factor security. App-level 2FA does not additionally apply to SSO logins, because SSO is treated as the secure path. 2FA enforcement applies to password-based admin logins.

7. Does 2FA work on web and mobile?

Yes. Everything above works in the web app and the mobile app. Admins can complete the verification step, and the required first-time setup, on either one. Organization-wide enforcement is configured by the Account Holder on the web settings page.