Help Center

Docs

Two-Factor Authentication

Add an authenticator app, register passkeys, and generate backup codes

Overview

Three independent second factors, each configured on Settings > Security.

Two-factor authentication (2FA / MFA) means you need something in addition to your password to sign in. The Security page supports three kinds of second factor: time-based codes from an authenticator app, passkeys bound to a device, and single-use backup codes. You can enroll more than one of each — a common setup is a phone authenticator plus a laptop passkey plus a sheet of backup codes printed out.

Enroll at least two factors
A single factor is a single point of failure. If you lose your phone, a passkey on your laptop (or a backup code sheet) lets you back in without a support ticket.

Authenticator App (TOTP)

Time-based one-time passwords from apps like Authy, 1Password, or Google Authenticator.

1

Open the authenticator card

On Settings > Security, find the Authenticator app (TOTP) card and click Add authenticator.
2

Scan the QR code

The enrollment modal shows a QR code. Open your authenticator app, pick "Add account", and scan it. If you cannot scan, copy the backup secret shown under the QR and paste it into your app.
3

Enter the 6-digit code

Your authenticator app starts producing 6-digit codes that rotate every 30 seconds. Type the current code into the modal to finish enrollment.
4

Name it and save

Give the factor a friendly name so you can tell it apart from others later. Save to finish.

Verified authenticators appear in a list on the card with their friendly name and the date added. You can enroll multiple authenticators — for example, one per device.

Passkeys

A modern replacement for passwords bound to your device's biometrics or a security key.

A passkey is a credential stored securely on your device. Signing in checks that you are physically present (Face ID, Touch ID, Windows Hello, or a tap on a hardware security key) rather than asking you to type anything. Passkeys cannot be phished because they are tied to the exact site that created them.

Enrollment is shipping soon
The Passkeys card shows a Coming soonbutton today. The underlying support for signing in with an existing passkey is in place, and any passkeys already attached to your account continue to work and can be removed from the card. Creating a brand-new passkey from the browser is not yet wired up — the full enrollment ceremony ships in a follow-up release. For now, enroll an Authenticator app (TOTP) and backup codes to cover your MFA.

Device compatibility (once enrollment ships)

  • Platform authenticators — Face ID and Touch ID on Apple devices, Windows Hello on Windows 10+, fingerprint or face unlock on Android. The passkey stays on that device (or syncs via iCloud Keychain / Google Password Manager).
  • Cross-platform authenticators — Hardware keys like YubiKey or SoloKey. Portable across machines, good for shared or hot-desk setups.

Removing a Passkey

Existing passkeys can be removed today even though new enrollment is not yet available.

  • Find the passkey in the list on the Passkeys card and click the trash icon.
  • Re-verify with step-up reauth in the dialog.
  • Confirm removal. The passkey is removed immediately.

Backup Codes

Single-use codes that save you when you cannot reach your other factors.

Backup codes are the emergency method. Each sheet contains 10 single-use codes — any one of them works as a second factor exactly once. The Codes remaining counter on the card tells you how many are left.

How they work

  • You must have at least one verified authenticator or passkey before you can generate codes. Backup codes only protect MFA — they are a fallback, not a standalone factor.
  • Click Generate codes (or Regenerate if you already have codes). The step-up reauth dialog asks you to verify first, because generating a new sheet invalidates the old sheet.
  • The 10 codes are shown once, in a modal. Copy, download, or print them before you close the modal — there is no way to view them again.
  • Each code can be used exactly once. Using one decrements the Codes remaining counter.
  • When you run low, regenerate to get a fresh sheet. The old sheet is invalidated the moment the new one is created.
Store backup codes somewhere offline
Save them to a password manager, print them out, or write them in a notebook stored somewhere safe. Do not email them to yourself — an attacker who gets into your email should not also get into your CRM.

Step-Up Reauth

Changing MFA factors requires fresh verification.

Adding an authenticator, adding a passkey, removing either, or generating backup codes all require a step-up reauth first. When you click the relevant button, a modal asks you to prove it is you using a factor you already have (your password, an existing authenticator, or a passkey). Once you verify, you have a short window where further security changes do not re-prompt.

Removing a Factor

Quick steps and the guardrail that keeps you signed in.

  • Click the trash icon next to the authenticator or passkey you want to remove.
  • Re-verify with step-up reauth.
  • Confirm in the dialog.
  • The factor is removed immediately; other verified factors remain in place.
Do not remove your last factor without a plan
Removing all factors does not lock you out of your current session, but leaves your next sign-in unprotected by MFA. Always keep at least one factor, or enroll a new one before removing an existing one.

Multiple Factors Are Allowed

Stack them for convenience and resilience.

You can enroll as many authenticators and as many passkeys as you like — there is no cap. A common setup is one authenticator on your phone, one passkey on each of the laptops you use, and a single sheet of backup codes in your password manager. At sign-in time, any of them can satisfy the MFA challenge.

Related Articles

Security Settings OverviewActive SessionsSign-In Methods
Previous
Security Settings Overview
Next
Active Sessions