Two-Factor Authentication

Two-factor auth (2FA) adds a second check on top of email or SSO login. You can use one of two factor types:

Passkeys: WebAuthn backed by laptop biometrics, phone, or hardware key (YubiKey).
Authenticator apps: TOTP from 1Password, Google Authenticator, Authy.

Either factor alone is enough.

Enable 2FA

You enable 2FA from your own authentication settings, then pick a factor and save your recovery codes.

Open Settings > Authentication.

Click Enable in the Two-factor authentication card.

Pick a factor type.

Save the recovery codes. Each code is single-use, so store them offline.

Passkeys let you sign in with biometrics or a hardware key, and you can register more than one for the same account.

Click Add passkey under Settings > Authentication.

Pick a credential source: current device, phone via QR, or hardware key.

Follow the system prompt (Touch ID, Windows Hello, YubiKey tap).

Name the passkey (MacBook Pro, YubiKey 5, iPhone 15) so you can revoke it later if needed.

Authenticator apps generate a fresh six-digit code every 30 seconds, and you confirm pairing once during setup.

Click Add authenticator app under Settings > Authentication.

Scan the QR code, or paste the secret manually.

Enter the six-digit code to confirm pairing.

Every sign-in prompts for a fresh code.

Recovery codes bypass 2FA, and each code is single-use.

To regenerate, you invalidate the old set and save the new one:

Owners can require every member to enroll a second factor.

Open Settings > Organization > Security.

Toggle Require two-factor authentication for all members.

Members without 2FA enroll on their next sign-in before they can access data.

SSO members satisfy enforcement when their IdP requires 2FA upstream, because the check reads the SSO assertion.

Owners reset a member's 2FA under Settings > Members > Reset 2FA, and the member re-enrolls on their next sign-in.

If you are the only Owner and locked out, contact support@tofupilot.com.