Account security: MFA and recovery codes

Two-factor authentication (2FA) adds a second step to your sign-in: after your password, you enter a 6-digit code from an authenticator app on your phone. Recovery codes are your backup if you lose that phone. Set this up if your account can see anything you would not want exposed by a stolen password, which in a compliance workspace is everything.

2FA is per user. Enabling it protects your own sign-in only, not the whole organization.

Before you start

Enable two-factor authentication

  1. Open Settings in the side nav, then pick the Security tab.
  2. In the Two-factor authentication card, click Enable 2FA.
  3. A dialog titled "Enable two-factor authentication" opens. It shows two values:
    • Setup key (secret): type or paste this into your authenticator app as a new time-based (TOTP) entry.
    • otpauth link: paste this into an app that accepts otpauth links instead.
  4. Your authenticator app now shows a 6-digit code for CompStack that changes every 30 seconds.
  5. Enter that code in the 6-digit code field and click Verify & enable.
  6. On success you see "Two-factor authentication enabled." and the card shows a green Enabled tag with a row like "Authenticator app, TOTP, added 2026-07-09".

If you close the dialog with Cancel before verifying, the half-finished setup is discarded and 2FA stays off.

Save your recovery codes

Right after enrollment succeeds, a dialog titled Save your recovery codes appears with 8 codes in the format XXXX-XXXX-XXXX.

  1. Click Copy all and paste the codes into your password manager, or write them down.
  2. Click I saved them to close the dialog.

Important facts about these codes:

If you lose the codes but still have your authenticator, click Regenerate recovery codes in the Security tab. Confirm the "Regenerate recovery codes?" dialog. Your old codes stop working and a new set of 8 is shown once.

Sign in with 2FA

  1. Go to the sign-in page and enter your email and password as usual.
  2. You land on the Two-factor authentication page (/mfa-challenge). You cannot skip this page; deep links are pinned here until you verify.
  3. Enter the 6-digit code from your authenticator app in the Verification code field.
  4. Click Verify. On success you continue to the Dashboard.

If you are on the wrong account, use the "Sign out and use a different account" link at the bottom.

Sign in with a recovery code (lost phone)

  1. On the Two-factor authentication page, click Use a recovery code. This link only appears if you still have unused codes.
  2. Enter one of your saved codes in the Recovery code field (dashes and case do not matter).
  3. Click Use recovery code.
  4. A dialog confirms: your code was accepted and two-factor authentication has been turned off for your account. Your remaining recovery codes no longer work either.
  5. Click Continue to reach the Dashboard.
  6. Go to Settings > Security and enable 2FA again with your new device as soon as you can.

This is by design: a recovery code cannot stand in for an authenticator long-term, so redeeming one resets 2FA instead. Treat recovery sign-in as a one-time escape hatch, not a routine.

Disable two-factor authentication

  1. Go to Settings > Security.
  2. In the Two-factor authentication card, click Disable 2FA.
  3. Confirm the "Disable two-factor authentication?" dialog by clicking Disable 2FA.
  4. You see "Two-factor authentication disabled." Your recovery codes are deleted at the same time. You can re-enable 2FA at any time.

Try it

If something goes wrong

Related pages: Admin and onboarding, Org data export and inviting members.

← Back to CompStack